The Future of Mobile Forensics

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

iOS Forensics

Since Apple uses full-disk encryption with passcode-dependent, hardware-based encryption, chip-off acquisition has not been a possibility for a long time. The following acquisition methods are available for Apple devices:

1. Sending the device back to Apple. Generally available to government agencies and law enforcement. Only for iOS versions prior to iOS 8.
2. Physical acquisition. A non-destructive acquisition method allowing one to obtain the full image of the device via the standard Apple cord.
3. Logical (backup) acquisition. Deals with offline backup files produced by the device being analyzed.
4. Over-the-air acquisition. Downloads information from the iCloud.

Let us briefly review the benefits, drawbacks and current trends for each acquisition method.

Sending to Apple

Sending devices for acquisition directly to Apple used to be a viable strategy, but not anymore. With the release of iOS 8, Apple explicitly states in their Privacy Policy that the new system is so secure that even Apple themselves cannot access information inside the device if the correct passcode is not known. Thus, modern devices running the latest version of iOS can only be acquired this way if the correct passcode is known. By June 2015, more than 80% of iOS devices were running iOS 8, so the chances of actually handling a device with an older version of iOS are becoming slim.

iOS Physical Acquisition

When it comes to physical acquisition, the technique only works for jailbroken 32-bit devices (both conditions must be met), or 32-bit devices with a known passcode that can be jailbroken by the investigator. Compared to Android, relatively few Apple users install jailbreak. Since there is currently no jailbreak for the latest version of iOS available, and all new devices are using 64-bit circuitry anyway, physical acquisition will only work in rare cases (with the exception of developing countries where older 32-bit Apple hardware still occupies a major market niche).

iOS Logical Acquisition

If a passcode is known, or there is a way of finding it out, investigators can make the device produce an offline backup via iTunes. The backup can then be analyzed, but with some restrictions:

• Device secrets (items stored in the keychain) will only be available if the backup was password-protected (and will NOT be available in backups saved without a password). Somewhat counterintuitively, if you have a device that is configured to produce backups without password protection, setting a known backup password and entering that same password in the forensic tool will enable access to more information compared to analyzing non-protected backups.
• Cached items such as downloaded mail are not available in backups.
• If the device is configured to produce password-protected backups, changing that password is not possible if the password is not known. According to Apple, “If you forgot your [backup] password, the only way to turn off backup encryption on your device is to erase your device and set up as new. Erasing removes all data from your device.” (https://support.apple.com/en-gb/HT203790). In other words, resetting the password is not an option if you do not know it already, and backups protected with an unknown password must be broken into by using forensic tools without any timeframe or success guarantee.

Other than that, there is a great number of forensically important items that you can find inside an iTunes backup using forensic tools. Our tool of choice is Belkasoft Evidence Center. The picture below illustrates how the tool was able to extract over 8 thousand instant-messenger related artifacts from a sample iTunes backup:

Over-the-Air Acquisition (iCloud)

Finally, there is a way to acquire the content of Apple devices by downloading backups from iCloud.

iCloud is a cloud service available to Apple customers. 5 GB of cloud storage are available free of charge, and up to 50 GB can be purchased for a fee.

Apple designed a very convenient system for backing up devices to the cloud. Backups are incremental and occur automatically every time the device is put on a charger while locked and connected to a known Wi-Fi network (all conditions must be met). Back in 2012, about 33% of Apple customers were using iCloud. While no recent statistics are available, we can suggest that iCloud usage has increased dramatically, with the majority of Apple customers backing up their information into the cloud.

Cloud backups contain all of the same information as offline backups produced via iTunes. iCloud backups can be retrieved with forensic software if the user’s Apple ID and password are known, or if a binary authentication token from the user’s computer is available. Information can also be obtained directly from Apple by law enforcement with a government request.

Android Forensics

Acquisition methods available for Android devices differ significantly.

1. Sending the device to the manufacturer for data extraction. Generally available to government agencies and law enforcement for most domestic devices. May not be available for international models (e.g. no-name Chinese phones).
2. Physical acquisition. A non-destructive acquisition method allowing one to obtain the full image of the device via a USB cord and forensic software.
3. JTAG forensics. Retrieves information via the phone’s Test Access Port.
4. Chip-off acquisition. Requires the removal of memory chips. Produces raw binary dumps.
5. Over-the-air acquisition. Involves downloading information from Google Account.

Sending to Manufacturer

Sending the device to its manufacturer may be a viable acquisition strategy if the device is unavailable via other means. For example, Samsung, who is the number one seller of smartphone devices in the US, has an official policy to support information extraction when serving a government request.

Notably, this approach may not be available in the case of international devices (in particular, no-name and C-brand smartphones originating from China). On the other hand, most Chinese devices are not secured in any reasonable way, and can usually be acquired via physical acquisition.

Android Fragmentation

Android is a highly fragmented platform with several hundred manufacturers and many thousands of device models (source: https://opensignal.com/reports/2014/android-fragmentation/). In a report dated August 2014, OpenSignal states: “We have seen 18,769 distinct devices download our app in the past few months. In our report last year we saw 11,868”. According to the same report, “Samsung have a 43% share of the Android market”, as illustrated by the chart:

Read Full Article Here 

Reference Forensicfocus