Basic Concepts in Mobile Device Forensics - Part 1

“Growth doesn't come from staying in your?comfort?zone. You can't improve and avoid change at the same time.” -John Maxwell

In this Monthly newsletter, I’m going to share information from the MDFE training course so you can learn the basic concepts of mobile device forensics. This is not a certification but knowledge and information sharing you can use to continue to grow in the digital forensics space. If you are just getting started and want to get certified, I highly encourage you to take a training course from a well-known vendor such as SANS, Magnet Forensics, or Cellebrite to name a few.

I’ll also share new ideas and thought leadership on tools and techniques I use to conduct digital forensics, incident response, cyber threat intelligence research, malware analysis, threat hunting, and eDiscovery. My hope is this information will add value to you, encourage you to be curious, and never stop learning.

Background

I started my career in digital forensics in 2009 as a Computer Crime Investigator with the Air Force. I remember my first case like it was yesterday. I was handed an evidence bag and its contents contained an iPhone. The phone's screen had been smashed with a hammer and I was told, “A Marine's wife is dead, this is her phone. It is up to you to determine if it was a suicide or murder. The Marine's future is in your hands.”

I had been in the office for only a week, I had not yet attended the DoD Cyber Crime Investigations Training Academy, and I didn't even have a desk. We had to pull the conference room table into the office space so I could have a place to work. My first question, has anyone ever conducted forensics on an iPhone? Complete silence...

Mobile forensics was not new in 2009, but iPhone forensics was, and this was our first case. Thus, my journey into mobile device forensics began. It was a challenging and amazing journey. I learned about a researcher who was pioneering iPhone forensics, his name Jonathan Zdziarski, (https://www.zdziarski.com/blog/?page_id=202) who graciously took my call and provided me with, at the time, LE-only iPhone forensics tools that he wrote along with two pdf manuals, iPhone Forensic Investigative Methods iPhone 3G and iPhone 3G(s) and iPhone Forensics Examiner's Edition to get me to get started.

Then there was the next challenge. I didn’t know anything about Linux and “Does anyone have a Mac?” It just so happened there was a Mac Mini used to conduct research in the building. I dug in, and over the next several days I learned how to use a Mac, taught myself the basics of Linux, macOS, and iOS, and how to properly prepare the Mac Mini for a forensic examination. I learned about Python and how to use Jonathan's tools to extract forensic artifacts from an iPhone and analyze the data, all in a few weeks. One of the team members had an iPhone and let me use it for testing. I was prepared to collect the data from the evidence. Everything went surprisingly well. The data was extracted without any issues. The analysis of the data (text messages, emails, and other data) revealed a timeline of events leading up to the incident.

Fast forward to today. I’ve conducted thousands of examinations on phones, computers, and small media and I’ve been involved in many very exciting cases. In 2012, I started writing a Mobile Device Forensic Examiner Training (MDFE) course compiling all the information I had learned. When I retired from the Air Force in 2016, I completed the training manual and used it to train law enforcement officers around the country, certifying them in Mobile Forensics.

Lesson 1: Basic Concepts in Mobile Device Forensics

In this lesson, you will:

·????????Define forensics and identify the different stages of the forensics process.

·????????Understand basic activities conducted at the Preparation and Collection stages.

Lesson Introduction

Mobile device forensics refers to recovering digital evidence from a mobile device using forensic processes. Mobile device forensics is a sub discipline of forensic science that falls under digital evidence. Digital evidence is nothing more than a series of electronic charges stored or transmitted as zeros and ones. A computer application or program can interpret this binary language and convert it into readable text or images. Like all forensic science disciplines, a process must be followed to ensure digital evidence is admissible as evidence in court proceedings. During this lesson, you will develop a better understanding of mobile device forensics, the different stages of the forensics process, how cellular networks work and their components.

The Forensics Process

Forensics

Forensics or forensic science is the practice of using scientific knowledge or techniques in solving crimes. Much of scientific crime scene investigation is based on Locard’s exchange principle. Locard’s principle is a concept developed by Dr. Edmond Locard (1877-1966) a forensic scientist, who was well regarded as the “Sherlock Holmes of France.”

Details about Locard can be found at https://www.crimemuseum.org/crime-library/edmond-locard/. Locard’s principle states when any two objects come into contact, there is always transference of material from each object to the other. When an offender enters a scene, they bring something into the scene as well as take something with them from the scene. Both can be used as forensic evidence. Mobile devices are no exception to this principle. As a user interacts with a mobile device and digital artifacts are created in operating system logs, database and property list entries record the user’s actions on a device. Information such as the date and time a file was created, the date and time a file was modified and the date and time a file was accessed can show when activities have taken place. The information associated to a file is recorded as Metadata, which is defined as data about the data. These are a few examples of Locard’s exchange principle in action on mobile devices.?

Mobile Forensics

Mobile forensics is the application of scientifically proven methods to collect, preserve, examine, analyze, and report digital evidence to provide a conclusive description of?cyber activities on a mobile device. Mobile forensics is a subcategory of digital forensics, a branch of forensic science. There are many benefits as well as challenges in mobile forensics. Mobile devices are constantly updating and improving making it almost impossible to establish a single method of acquiring and examining data from all types of mobile devices. Other challenges include widespread storage via the cloud and the ability to access data across multiple devices and legal aspects, which we cover in detail later in this lesson.

To effectively acquire and analyze these mobile devices, examiners will need to develop special skills and knowledge such as understanding how data is stored, how devices communicate with cellular networks, and the different types of technologies mobile devices use. Examiners must also be able to use a variety of forensic software tools and investigative methods in order to be successful in this field.

Stages of the Forensics Process

In general, digital forensics follows a set of procedures or guidelines to apply scientifically proven methods for examining digital evidence. Although there are many different ways to come to the same conclusion, the following stages outline a general forensic process for digital investigations:

1.??????Preparation

2.??????Collection

3.??????Examination

4.??????Analysis

5.??????Reporting

Let's take a closer look at each stage.

Stage 1: Preparation

Preparation is probably the most important stage of the forensics process. This stage is ongoing and includes items such as training, developing policies and procedures, and preparing forensic equipment and incident response kits for the collection stage. Before an incident occurs, organizations should identify employees with the necessary skills, experience, and training to handle incidents pertaining to mobile devices. If an employee does not already have the experience and background required, formal training will be needed as well as on-the-job training to obtain actual experience.

During the preparation stage, policies should be put in place that allow the corporation to legally obtain data from employee devices. This may include a bring-your-own-device policy that specifically states the devices used are subject to search and in order to use the device for corporate matters, the user must consent to the policy before using the device. Preparation is the key to successfully navigating the complex issues dealing with mobile devices. Preparation is also the foundation for all the remaining stages in the forensics process.

Properly preparing your environment and equipment are just as important as proper training, policies, and experience. Consider how much space is needed for forensic equipment. Evidence should be kept in a secured location, preferably in a vault or safe. Many corporations have dedicated rooms for a forensics lab to meet these requirements. Your forensic workstation and software must be licensed and correctly installed on sterilized media. Sterilized media is wiped using a wiping utility that overwrites any residual data that may be left on the disk from previous use. This includes media that comes directly from the manufacturer. Once the software is installed, examiners will need to test the equipment and software with a known data set to ensure the tools are working properly and reporting the data correctly. This step will validate the results before performing an examination and provide a solid foundation to present the findings from the examination in court.?

Stage 2: Collection

The collection stage involves identification, physical collection, preservation, and documentation of evidence. Security professionals, human resources professionals, and IT support professionals may be involved in the collections process. As an examiner, it is important to work with your CIO/CTO and legal department to establish a collections policy and procedures for all those who may be involved to follow. This will ensure a defensible collection occurs for civil and criminal cases. Each person who might be involved in the collection process should be trained and certified to collect digital evidence. The collection stage has several sub-processes:

Identification

An important aspect of the identification process is determining where evidence might reside. Examiners need to identify what potential digital evidence may be present after an incident or criminal act occurs. Things to consider during a collection are:

·????????Digital Media Identification - What items of evidentiary value may be present? Identifying the make and model of the mobile device is important and will determine what forensic methods should be taken in order to preserve the evidence and prevent the destruction of data.

·????????Legal Authority – Does the person who is collecting the digital evidence have the legal authority to conduct the search and seizure of the digital items? (Legal expectations are discussed in detail in Lesson 2).

·????????Locations of Potential Evidence - Depending on the type of incident, determining the location of potential evidence may be challenging. Is the data stored on a mobile device? If so, was that device synced to a computer? Is the device backed up in the cloud? There may be additional storage media such as MicroSD cards inside the device. When an incident occurs, it is important to identify where potential evidence may reside within the network or on specific devices. It is the examiner's responsibility as well as the person collecting the digital evidence to identify additional locations evidence may be stored and, in many cases, additional storage capabilities of the device.

Physical Collection

Physical collection involves seizing physical devices as evidence by following incident response procedures developed in the preparation stage. Following a standard operating procedure during the collection of mobile device evidence is key to evidence admissibility in court. At this stage, evidence may be collected from a crime scene or evidence may be physically handed to you in a lab setting. The movement of evidence from the time received until the time it is presented in court is documented in a chain of custody document. Use a chain of custody document to show positive control of the evidence. Chain of custody will be discussed further in Lesson 2. As the expert, your job is to ensure the collection process follows best practices and mitigates data loss.

Imaging

Preservation of the evidence must use forensically sound methods, meaning we must minimize changes to the original evidence. It is not practical for a mobile device to remain unchanged during the collection process as we must interact with the device in order to obtain the data from the device. Forensic imaging is a forensically sound method of creating an exact duplicate copy of the original evidence in order to preserve the original state of the evidence collected. In the United States, forensic imaging meets the requirements outlined by Federal Rules of Evidence (FRE) 1001(d) and FRE 901, which state evidence must be original and evidence must remain unchanged from the time it is collected until the time it is presented in court. A forensic image can be conducted in two forms, logical or physical.?

Logical Imaging

A logical image is a forensic copy of active files and folders from the device, preserving the original state of the data and the metadata associated with it. The active data are the applications and files the user has permission to browse through interaction with the mobile device. Logical imaging can capture anything the user has permission to access, an example of a logical image is an iTunes Backup or Android Backup file.

The benefit of a logical image is the ability to perform a targeted collection of specific data on the device such as text messages, photos, and videos. A logical image allows the examiner to forensically extract only the relevant data to the investigation if desired. A logical image does not collect unallocated space and therefore will not enable the recovery of deleted items from the file system.?

Physical Imaging

A physical image is a bit-by-bit copy of the device storage media. In terms of mobile device data storage, the forensic image is of the NAND flash memory chips on the device. A physical image is preferred over a logical image and can be obtained through several different methods and software such as data dump, JTAG, Chip off, ISP, and micro read methods. A physical image will contain information from system areas and data areas of the disk including unallocated sectors. In some cases, deleted data can be salvaged from the unallocated sectors depending on the operating system and encryption level.

The data from the bit-stream image is placed into a container file known as an image file. Image files have different file extensions depending on the software used to create the image such as, .e01, .000, .raw, .asb, .dmg and .zip to name a few.

To take a forensic image of a mobile device, the examiner will use vetted and tested tools and procedures as well as commercial forensic software such as Magnet Acquire. These tools are discussed throughout this course.

When an image is not possible and the examiner has access to the device's contents, it is a common practice to conduct the examination on the original device. This is known as the manual examination method and is typically used as a last resort. Taking this approach requires taking pictures of each screen as you scroll through the device and all its applications.?

Note Taking at the Collection Stage

Accurate note-taking is a critical part of the collection stage. Taking copious notes is mandatory for the examiner during all phases of the collection stage. Each note should document your actions and include a date and time, actions taken, and the result of those actions. While at a crime scene, examiners need to take thorough notes to document the scene and their actions according to local policies developed by your organization. The same rules apply to examiners collecting phones while in a corporate environment or the lab. A good rule to follow is, “If it isn’t documented, it didn’t happen.” In the event you make a mistake, use a single line through the word(s) followed by your initials. Proper note-taking will include:

1.??????Name of the examiner

2.??????Location and known good local time

3.??????Initials, date, and number of pages (1 of 10)

4.??????Actions taken and results

How much detail should you provide? A 3rd party examiner should be able to take your notes and reproduce your results.

Legal Uses of Examiner’s Notes

All notes taken are considered discoverable evidence in court. Referring to your notes is permissible in court to refresh your memory if testifying, possibly years later. Make sure the notes align with all actions taken so that everything is consistent when the evidence is presented later in court. For example, installing an application on a mobile device is a common practice to extract data. Document the steps taken or the program used and the results of that action. Many of the forensic tools available will generate a log and provide the details necessary for the admissibility of the evidence in court. Any third-party investigator should be able to take your forensic image and notes and reproduce your results.?

Collection Flowchart

The following flowchart in Figure 1.2 can be used to determine the best course of action to take when collecting a mobile device. This is a generic example; always follow your local policies and procedures when collecting mobile device evidence. If you don’t have local policies in place, create them and ensure all those who will collect mobile evidence are trained and follow the proper procedures. A search of the web can reveal very complex flow charts that may detail almost every situation. Refine your process and follow it for consistent incident response and collection.?

Figure 1.2: Basic collection process

?In the next article, we will continue this lesson and break down the Examination, Analysis, and Reporting stages of the forensics process for digital investigations.