Cell Phone Analysis

In a nutshell… “Unfortunately, the reality is we don’t live on the set of CSI: Miami—and as anyone who has spent any time trying to acquire data from mobile devices knows, the general rule remains: you just never know what you will be confronted with next, and just how much data can be obtained.” “Chip-off and JTAG Analysis” by Bob Elder - http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=922

Cell Phone Forensics - Challenges A smartphone is never just a smartphone. Data protection: passwords and encryption. Prepaid “burner” phones – data port disconnected (Tracphone). There’s no app for that – millions of apps exist. Accurate data, forensic soundness – boot loader installed. Some smartphone extractions remain unsupported. “6 Persistent Challenges With Cell Phone Forensics” http://www.forensicmag.com/articles/2013/02/6-persistent-challenges-smartphone-forensics

Another Issue Cell phone forensic software documentation is not always correct. It may say that it can do something – and it can’t It may say that it can’t do something – and it can Cellebrite claims is software can interpret data from 225 different applications.

Can This Phone Do “X?” To learn more about a phone’s capabilities use Phone Scoop – www.phonescoop.com

Here’s what I tell clients… What can be extracted depends on make, model and carrier What can be extracted depends on the version of the operating system Can you recover “x” from a cell phone My response – Maybe Personally, I try to keep the cost low enough so it is worth a try

Keys to Success When the phone is produced for analysis, it should be fully charged. If it is not fully charged, it can mean a delay in the analysis of the device. Know the make, model and carrier of the phone Many phones create backups – these backups can be recovered from computers and possibly the “cloud”

Marketing Name vs. Model Number Marketing Name: Galaxy S4 Model Numbers GT-I9505G SGH-I337 SGH-M919 SCH-I545 SPH-L720 SCH-R970

Tools XRY, Oxygen, Lantern Cellebrite UFED4PC/ Physical Analyzer

Types of Cell Phone Analysis Physical acquisition – analogous to a forensic copy of a computer hard drive File System Extraction – captures the file system, analogous to copying the “C: drive” on your computer Logical Extraction – artifact collection Password Extraction – some phones Chip-off and JTAG (Joint Test Action Group) – requires removing memory chip from phone.

Artifacts

Definitions SMS stands for Short Message Service, which is the formal name for text messaging. It's a way to send short, text-only messages from one phone to another. These messages are usually sent over a cellular data network.

Definitions MMS - Multimedia Messaging Service is a standard way to send messages that include multimedia content to and from a mobile phone over a cellular network.

Definitions UTC - Coordinated Universal Time (UTC) is the basis for civil time today. This 24-hour time standard is kept using highly precise atomic clocks combined with the Earth's rotation. For Central Time – subtract 5 hours in the summer, and 6 hours in the winter. 23:25 (UTC+0) July 15, 2018 – 18:25 July 15, 2018 Often represented as 23:25 (Z)

Examples of Recovered Artifacts Keep in mind – what can be recovered depends on make, model and carrier These examples come from my personal iPhone 6 File System Extraction

Items in red show number of deleted items recovered Analyzed Data Items in red show number of deleted items recovered iMessage – iPhone to iPhone Messages

Text Messages Between John Doe and Jane Doe On both phones Only on John Doe’s phone Only on Jane Doe’s phone

Won’t get body of email from an iPhone

This is where much of the application data resides This is where much of the application data resides. Tools can only carve out data from a small percentage of applications.

Millions of applications Data is stored in sqlite databases eBird App – used to track bird sightings Millions of applications Data is stored in sqlite databases Information can be extracted from these databases

Sqlite file name: BirdsEyeSubmission.sqlite Table: ZPERSONALLOCATION Total rows: 579

Sqlite file name: expense.db Table: expense Total rows: 357

Web History

Anonymous Texting www.spoofmytextmessage.com www.smsgang.com www.sendanonymoussms.com www.seasms.com Plus a variety of phone Aps

“Spoofing an SMS means that you basically send a text from a number that isn't your own - as in, when the person receives their fake sms message, it will look like an entirely different sender has sent it. Think of all the fun a little text like, "I can't believe you got me pregnant!" Could cause if you sent it to one of your friends.”

How Do You Catch the Culprit? Must have a suspect in mind Can review internet history on computer or phone Phone apps may store sent messages in a sqlite database Text Burner - example

https://support.google.com/websearch/answer/6302812?hl=en

Internet History and Internet Searches Computer Artifacts Internet History and Internet Searches

Internet History

Google Searches

Questions? Contact info: john.mallery@malleryttc.com / 913.708.4199