Scribd
Upload
11 views

Mobile Forensics Fundamentals

Uploaded by

Maithili
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views

Mobile Forensics Fundamentals

Uploaded by

Maithili
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

1. Incoming, outgoing, missed call history.

2. Phonebook or contact lists.


3. SMS text, application based, and multimedia messaging content.
4. Pictures, videos, and audio files and sometimes voicemail messages.
5. Internet browsing history, content, cookies, search history, analytics
information.

Types 6. To-do lists, notes, calendar entries, ringtones.

of 7. Documents, spreadsheets, presentation files and other user-created data.


8. Passwords, passcodes, swipe codes, user account credentials.
evidence 9. Historical geolocation data, cell phone tower related location data, Wi-Fi
connection information.
10. User dictionary content.
11. Data from various installed apps.
12. System files, usage logs, error messages.
13. Deleted data from all of the above.
Rules to be followed in
digital forensics process
 Digital forensics operates on the principle that
evidence should always be adequately preserved,
processed, and admissible in a court of law.
 Two major risks concerning this phase:
(i). Lock activation (by user/suspect/inadvertent third
1. Seizure party) and
(ii). Network/Cellular connection
 Network isolation is always advisable, and it could be
achieved either through:
1) Airplane Mode + Disabling Wi-Fi & Hotspots
2) Cloning the device SIM card.
Airplane mode

Mobile devices are often seized switched on, as the purpose of their
confiscation is to preserve evidence.

The best way to transport them is to attempt to keep them turned on to


avoid a shutdown, which would inevitably alter files.
Phone jammer
Faraday
box/bag

A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics.
While the former is a container specifically designed to isolate mobile devices from network communications and, at
the same time, help with the safe transportation of evidence to the laboratory, the latter, is a power source embedded
inside the Faraday box/bag. Before putting the phone in the Faraday bag, disconnect it from the network, disable all
network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to protect the integrity of the evidence.
 Once data is acquired, the data and device need to be securely stored
until they’re needed for further investigation.
 Preservation is usually done in either physical or digital storage
systems-or preferably in a smart management system that can
integrate with evidence management systems.
 Critical Steps in Preserving Digital Evidence:

Preservation 1. Do not change the current state of the device:


If the device is OFF, it must be kept OFF and if the device is ON, it
must be kept ON. Call a forensics expert before doing anything.
2. Power down the device:
In the case of mobile phones, If it is not charged, do not charge it. In
case, the mobile phone is ON power it down to prevent any data wiping
or data overwriting due to automatic booting.
3. Do not leave the device in an open area or unsecured place:
Ensure that the device is not left unattended in an open area or
unsecured area. You need to document things like- where the
device is, who has access to the device, and when it is moved.
4. Do not plug any external storage media in the device:
Memory cards, USB thumb drives, or any other storage media
that you might have, should not be plugged into the device.
5. Do not copy anything to or from the device:
Copying anything to or from the device will cause changes in the
slack space of the memory.
6. Take a picture of the piece of the evidence:
Ensure to take the picture of the evidence from all the sides. If it
is a mobile phone, capture pictures from all the sides, to ensure
the device has not tampered till the time forensic experts arrive.
7. Make sure you know the PIN/Password Pattern of the device: It is
very important for you to know the login credentials of the device and
share it with the forensic experts, for them to carry their job seamlessly.
8. Do not open anything like pictures, applications, or files on the
device:
Opening any application, file, or picture on the device may cause losing
the data or memory being overwritten.
9. Do not trust anyone without forensics training:
Only a certified Forensics expert should be allowed to investigate or view
the files on the original device. Untrained Persons may cause the deletion
of data or the corruption of important information.
10. Make sure you do not Shut down the computer, If required
Hibernate it:
Since the digital evidence can be extracted from both the disk drives and
the volatile memory. Hibernation mode will preserve the contents of the
volatile memory until the next system boot.
Methods to Preserve a Digital Evidence
Drive Imaging
Before forensic investigators begin analyzing evidence from a
source, they need to create an image of the evidence. Imaging a drive
is a forensic process in which an analyst will create a bit-by-bit
duplicate of the drive. When analyzing an image forensic experts
need to keep in mind the following points:
Even wiped drives can retain important and recoverable data to
identify.
Forensic experts can recover all deleted files using forensic
techniques.
Never perform forensic analysis on the original media. Always
Operate on the duplicate image.
A piece of hardware or software that helps facilitate the legal
defensibility of a forensic image is a “write blocker”, which forensic
investigators should use to create the image for analysis.
 Hashing is an algorithm performed on data
such as a file or message to produce a
number called a hash (sometimes called a
checksum).
Hashing?  The hash is used to verify that data is not
modified, tampered with, or corrupted.
 In other words, you can verify the data has
maintained integrity.
 A key point about a hash is that no matter how many
times you execute the hashing algorithm against the
data, the hash will always be the same if the data is the
same.
 ***Hashes are created at least twice so that they can
be compared. As an example, imagine a software
company is releasing a patch for an application that
customers can download. They can calculate the hash
of the patch and post both a link to the patch file and
the hash on the company site. They might list it as:
 Patch file. Patch_v2_3.zip
 SHA-1 checksum.
d4723ac6f72daea2c7793ac113863c5082644229
Hash Values:

When a forensic investigator creates an image of the evidence for analysis,


the process generates cryptographic hash values like MD5, SHA1, etc. Hash
Values are critical as:

They are used to verify the Authenticity and Integrity of the image as an
exact replica of the original media.

When admitting evidence in the court, hash values are critical as altering
even the smallest bit of data will generate a completely new hash value.

When you perform any modifications like creating a new file or editing an
existing file on your computer, a new hash value is generated for that file.

Hash value and other file metadata are not visible in a normal file explorer
window but analysts can access this information using special software.

If the hash values of the image and the original evidence do not match, it
may raise concerns in court that the evidence has been tampered with.
MD5
 Message Digest 5 (MD5) is a common hashing
algorithm that produces a 128-bithash.
 Hashes are commonly shown in hexadecimal
Hashing format instead of a stream of 1s and 0s.
Algorithms  For example, an MD5 hash is displayed as 32
hexadecimal characters instead of 128 bits.
 Hexadecimal characters are composed of 4 bits
and use the numbers 0 through 9 and the
characters a through f.
SHA
 Secure Hash Algorithm (SHA) is another hashing algorithm. There are several variations
of SHA grouped into four families—SHA-0, SHA-1, SHA-2, and SHA-3:
 SHA-0 is not used.
 SHA-1 is an updated version that creates 160-bit hashes. This is similar to the MD5 hash
except that it creates 160-bit hashes instead of 128-bit hashes.
 SHA-2 improved SHA-1 to overcome potential weaknesses. It includes four
versions. SHA-256 creates 256-bit hashes and SHA-512 creates 512-bit hashes.
SHA-224 (224-bit hashes) and SHA-384 (384-bit hashes) create truncated versions
of SHA-256 and SHA- 512, respectively.
 SHA-3 (previously known as Keccak) is an alternative to SHA-2. The S. National
Security Agency (NSA) created SHA-1 and SHA-2. SHA-3 was created outside of the
NSA and was selected in a non-NSA public competition. It can create hashes of the
same size as SHA-2 (224 bits, 256 bits, 384 bits, and 512 bits).
 The Daubert standard, named after US Supreme Court
Justice Clarence Thomas, states that when an expert
testifies in the form of an opinion, the expert must be
qualified to provide the opinion.
 The expert must have sufficient background
knowledge, training, and experience to provide
meaningful testimony.
Daubert’s
 They need to understand the subject matter and
Standard provide a valid basis for their opinion.
 The Daubert standard for digital forensics is reliable,
relevant, and trustworthy evidence.
 For evidence to be reliable, it must be repeatable. For
evidence to be relevant, it must be material to the
prosecuted case.
Locard’s  Consult PDF file shared
Exchange

You might also like