Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.

Similar presentations

Presentation on theme: "Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC."— Presentation transcript:

1 Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC

2 Pencils Out Please! Find the evidence

3 Abstract – Mobile device forensic analysis is the current area in which the extraction, analysis and review of data collected from mobile devices is addressed. Current analysis trends include but are not limited to evidence collection, behaviour analysis and the detection of malware/ spyware on mobile devices. This presentation will provide clarity on forensic techniques and malware detection.

4 Problem Statement Mobile devices form part of the battlefield on Internet based crime. Mobile devices now form an integral part of society and manages how we interact with our community.

5 Nomophobia Nomophobia - Nomophobia is the fear of being out of mobile phone contact. 53% of users polled became anxious when their phones had no signal, low battery or was off. The average distance that polled users where during the day from their handset rarely exceeded 1.5m Source - wikipedia

6 Mobile Device Forensics Widely used since 2002 Effective court tested methodology Collection, extraction and analysis of data on mobile devices



9 Cell Phones – what is out there? GSM – 4 Operators - 41 million subscribers in South Africa (approx. 87% of the population) Worldwide: Approx 5 + Billion Subscribers (including 3G, WCDMA, HSPDA) source: GSM Network Operators: Vodacom (largest provider approx. 21 million subscribers) MTN – Mobile Telephone Networks Cell-C Telkom – 8.ta

10 Concept – Cellphone Forensics

11 Windows Apple Linux COMPUTER FORENSICS – Operating Systems

12 MOBILE – Operating Systems

13 What information can we expect in a mobile phone handset? Contacts Calls (dialled, missed, received) Text Messages Multimedia Messages Drafts Pictures, Audio and Video Images E-mail, Browser History, Tasks / Notes / Calendars Application Files Maps, GPS Locations visited Time & Dates

14 Extraction Methodologies Cable, Bluetooth (pairing) and IR Chip Off - volatile Recovery of logical data as well as deleted information Deleted data includes: – SMS – Call logs – Files – Systems Files

15 Data Cache WiFi connections, Internet Usage, Keyboard Cache and App Usage

16 WiFi Connections ApplicationNameLongitudeLatitudeTimeType Consolidated Database (Apple)Wi-Fi MAC=0:21:4:a0:b9:d818.84172952-34.11499512 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=94:44:52:f:77:1918.84171432-34.11498498 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:60:b3:a4:64:8718.84170436-34.11496382 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:19:cb:3c:b8:3c18.84180319-34.11501181 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:19:70:14:12:1418.84193527-34.11499309 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:4:ed:b9:33:1318.84194082-34.11468487 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=d8:5d:4c:b2:3:c818.84307813-34.11410129 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:4:ed:da:6f:a218.84195852-34.1134119 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:30:a:eb:2d:bf18.84289234-34.11367881 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:13:f7:3e:5a:6018.84248417-34.11320757 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi Consolidated Database (Apple)Wi-Fi MAC=0:60:b3:4f:34:3018.84235602-34.11301624 2011/09/01 06:51:58 PM UTC (Device)Wi-Fi

17 GPS Co-ordinates

18 Internet Usage Applicatio nWeb AddressPage Title Access CountAccessed Safari (Apple) 05:44:38 AM UTC (Device) Safari (Apple) 05:35:08 AM UTC (Device) Safari (Apple) gevaar-Wallis-20110904 Dié Bok spel gevaar – Wallis: Beeld: Sport: Rugby12011/09/06 06:05:17 AM UTC (Device) Safari (Apple) PDA Web Interface12011/09/06 05:25:51 PM UTC (Device) Safari (Apple) 06:07:54 AM UTC (Device) Safari (Apple) Web Interface12011/09/06 05:25:50 PM UTC (Device) Safari (Apple) 06:25:00 AM UTC (Device) Safari (Apple) beseer-in-kettingbotsing-op-N1-20110905 1 sterf, 2 erg beseer in kettingbotsing op N1: Beeld: Suid-Afrika: Nuus12011/09/06 05:57:46 AM UTC (Device) Safari (Apple) tot-in-ander-hoe-pos-20110905 Van geskors tot in ander hoë pos: Beeld: Suid-Afrika: Nuus12011/09/06 05:55:35 AM UTC (Device) Safari (Apple) Slim-nou-te-kry-20110905 Pil ‘soos Simply Slim’ nou te kry: Beeld: Suid-Afrika: Nuus12011/09/06 05:52:56 AM UTC (Device) Safari (Apple) 2013-20110904 Mugabe ‘sterf in 2013’: Beeld: Wêreld: Nuus12011/09/06 06:01:28 AM UTC (Device) Safari (Apple) 06:01:18 AM UTC (Device) Safari (Apple) ongeluk-Moord-klag-verander-20110905 Mandela-ongeluk: Moord-klag verander: Beeld: Suid-Afrika: Nuus12011/09/06 06:00:12 AM UTC (Device) Safari (Apple) info pages12011/09/06 05:26:16 PM UTC (Device) Safari (Apple) versuur-die-lewe-van-sakemanne-20110906 Bloedwater versuur die lewe van sakemanne: Beeld: Suid-Afrika: Nuus12011/09/07 05:39:32 AM UTC (Device)

19 Keyboard Cache Text Kiki systems com rex maxload maxcomm maraton myadsl mytv motogp ons ol julle jKpklkmkkiipllljkkllkkkkkkjn jjjbbbhgm kans kxhhmtu kll kkpkkklkjkj gegee gumtree gbvgggggvv za passcode qqxqq nsn nnmnnnbggvbbvvvrvvvxz bv beeld vbvbb absa Password

20 App Usage Application: com.iber4.dodgemcars Time: 2011/08/14 UTC (Device)Time: 2011/08/16 UTC (Device) Duration: 00:08:18Duration: 00:00:00 Access Count: 9Access Count: 8 Application: com.iber4.dodgemcarsApplication: Time: 2011/08/18 UTC (Device)Time: 2011/08/21 UTC (Device) Duration: 00:00:00Duration: 00:33:25 Access Count: 9Access Count: 8 Application: Time: 2011/08/15 UTC (Device) Duration: 00:50:08Duration: 01:07:05 Access Count: 9Access Count: 8 Application: com.RockingPocketGames.iFishingSEApplication: com.outfit7.talkingbirdipad Time: 2011/08/21 UTC (Device)Time: 2011/09/03 UTC (Device) Duration: 00:56:59Duration: 00:30:26 Access Count: 8Access Count: 7 Application: com.ea.candcra.incApplication: Time: 2011/08/13 UTC (Device)Time: 2011/08/28 UTC (Device) Duration: 00:17:33Duration: 00:19:27 Access Count: 8Access Count: 7 Application: Time: 2011/08/08 UTC (Device)Time: 2011/08/22 UTC (Device) Duration: 00:00:49Duration: 01:11:07 Access Count: 8Access Count: 7 Application: com.compumasterltd.poolrebel Time: 2011/08/25 UTC (Device) Duration: 00:34:07 Access Count: 7

21 Fun Fone Facts

22 Physical Recovery 8GB of useful data retrieved using “chip off” techniques

23 Concept – Malware/ Spyware

24 Mobile Device Vulnerabilities Mobile Phones have three vulnerabilities 1.Interception 2.Monitoring 3.Command and Control

25 Interception Network Off air (passive) Spyware

26 Monitor App usage Malware/ Spyware Collection

27 Command and Control Deploy as a BOT Escalate user privileges Premium service subscription

28 Malware – what we know Majority of malware deployments include social engineering Deployment on two levels Level I Physical deployment Level II Social engineering (phishing)

29 Deployment Physical Access – Flash disk – Link to web download – Override user privileges Social Engineering – Refer to web download (games, banking app) – Spoofed login to collect credentials


31 Malware – Designed to exploit security – Trigger data costs (premium SMS/ data services) – Accelerate user privileges – Phones act BOTS for malicious attacks – Allows for remote control of device

32 Spyware – Deployed to compromise user created information – Covert interception and monitoring – Collect communications and data – Collect credentials (two factor authentication) OTP Password Reset Info

33 Detection of Malware and Spyware Behaviour analysis of device Data usage tracking App identification and logging Deploy content management tools Enforce local security policies System file analysis

34 Challenges for infosec practitioners Mobile devices fall into the BYOD class – Behind firewall deployment of threats Mobile devices differ drastically – No single tool to manage and audit devices No single detection methodology – Multi platform approach to detection (expensive) Difficult to monitor (form part of a closed network) – Devices not part of local network No alert functionality on Mobile device – Apps installed as trusted

35 What we need to know Consult the experts

36 Defence Strategy Review user privileges Install only trusted apps Maintain physical security of device Review data usage No “rooting” or “jailbreaking”

37 Research - spyware Applications and software purchased File system analysed Deployed to several phones – Sony Ericsson – Samsung – Blackberry – Nokia

38 Spyware Tested/ Reviewed Killer Mobile – Tra v4.1 Eblaster Mobile edition MobileSpy IE Spy Bubble Cell-Tracker Pro

39 Observations Tools effective for capturing mainly text based data Slows device response to user prompts Battery drain extensive Visual triggers – Data usage – Device activity – BB Log

40 Concept Overview Cellphone and Mobile Devices are to be included as primary evidence sources Reliable evidence recovery from mobile devices Detection methodologies exist for spyware and malware deployments Accredited experts available locally

41 FAQ Is my phone bugged? How am I tracked by using my cellphone? Can I tell if my phone is bugged? Can you recover deleted messages and data from my phone? What is the safest phone in terms of defence against spyware?

42 Q & A Thank you Peter L. Fryer 0827749960

Download ppt "Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC."

Similar presentations

Ads by Google