Introduction to Handheld Digital Forensics Created by DM Kaputa Ph.D.

New Certificate Fall 2009  Computer Security & Investigations/Digital Forensics  Developed under the auspices of National Science Foundation/Advanced technological Education Grant #  Faculty members: Kaputa, Kuroski, Kowalski, Palombo & Gill

Some high-profile forensics cases  These cases probably would not have been solved, if not for the digital forensics investigations.

Police give J. Rodemeyer’s cell phone to RCFL

M. Jackson’s doc’s phone

What is Handheld forensics?  Computer Forensics:  storage device requiring file system, device is “static”,  larger storage capacity ( although this is changing)  Forensic:bit stream imaging  Handheld Forensics:  embedded systems, device is “active”,  smaller on board capacity (16 G)  Forensic: active memory imaging

Forensic Rules for PDA seizure  disconnect wireless connectivity  Keep power  Cables…gather  Unit is always changing, RAM main storage for files & apps acquire in lab  Fundamentals of forensic grade software  PDA OS: WinCE, RIM (Blackberry), Palm OS, embedded Linux, Symbian

Forensic rules for cell phone seizure  1. disconnect wireless communication  2. keep power or may need psswd  3.gather cables & accessories  4. acquire in lab  5. use forensic grade software

HYBRIDS ( combination of both) although most cell phones now are hybrids & beyond!!!!) )  Windows pocket PC  I-phone  Googlephone  Linux  Blackberry  Most contain PDAs, GPS & camera, MP3 player

Quick Time Line  1960s Bell labs develops electronics for cell phone technology  1978 AMPS..advanced mobile phone system debuts 1 st commercial cellular network in Chicago  1988 Cellular Technology Industry Assoc. created  1991 TDMA also first GSM phone in Finland  2001 Bell South leaves payphone business

Major Access Technologies for cell phones  AMPS…Advanced mobile phone service 1 G systems FDMA … analog standard  Frequency division multiple access  ******************************************  DIGITAL CELLULAR NETWORKS  1.TDMA time division multiple access ( digital link technology)  Different time slot for each channel (6 slots)  2 G SYSTEMS  2. GSM Global Systems Mobile 1991 (replacing TDMA to 3 G)

GSM continued  Used TDMA air interface…8 time slots  Uses SIM card. removable thumb sized card, identifies user to network & stores information  82% of the world’s phones available in over 168 countries  Next generation (UMTS) (universal mobile) enhancing GSM with CDMA air interface  AT & T service (Cingular,T-mobile)

Other common cellular networks  3.Also IDEN network designed by Motorola  4.And a digital version of original analog called D-AMPS digital advanced mobile phone service

CDMA developed about 1989 by Qualcomm  Code Division Multiple Access  Spread spectrum technology  Spreads digitized data over the entire bandwidth  3 G SYSTEM  Always on data access  High data speeds  Live streaming video  Verizon & Sprint

4 G SYSTEM  4 G systems  100 Mbits while moving  1 G while still  High quality audio/video

Intro to Cell Phone Forensics  Very popular devices today under GSM SIM & mobile equipment (ME)  CDMA phones (Verizon & Sprint) historically no SIM although RUIMs are gaining in popularity ( removable user identity modules)

Introduction to SIM Card  What is SIM Card?  Subscriber Identity Module which  authenticates device to network  Stores names and phone numbers  Sends and Receives text messages  Stores network configuration info (IMSI)

SIM disadavantage  Unless SIM card lock is enabled…can steal SIM and rack up charges against you !!!

SIM Card continued  Useful for quick transfer of numbers and info from one phone to another

SIM advantages  Portability is main advantage  SIM can be swapped out to new phone  Stores contact info

What exactly is on SIM card?  Simple phone book  Last 10 outgoing numbers  SMS messages (short message system) aka text messages  IMSI

Paraben’s SIM Card Seizure  Last 10 outgoing phone numbers…….

Cell phone forensics…last 10 outgoing numbers

Components continued  Outgoing SMS text messages

SMS outgoing text messages

Components continued IIncoming SMS text messages

Delivered (to you) text messages

Components continued  IMSI….this is a network configuration number  International Mobile Subscriber Identity  OR  IMEI number  International Mobile Equipment Identity

Conclusions…forensically speaking  Can track deleted SMS……by analysis of unallocated space  Be cogniscent of what you send out in text messages…..!!!!  They could come back to haunt you.

Some Hand Held Forensic Toolkits  MOBILedit! Software Highly rated by NIST  BitPim Software CDMA open source  Device Manager, proprietary software by Paraben  Cellebrite Hardware used by LE  Next slide : Using Device Manager to attempt an acquisition of a cell phone

Mobile Malware or who said mobiles don’t have malware? PPhoenix FFacebook mobile DDroidDream PPlankton ZZitmo GGolddream A

1 st Case Mobile malware 22004 first mobile malware BBy 2010…250% increase 22011 Botnet enabled malware for Androids FFrom June 2010 to Jan 2011 Android malware increased by 400%

What does it do?  Disables phone  Remotely controls phone….can record phone conversations & store to phone’s SD card..can then upload to server controlled by hacker (drops a configuration file)  Steals valuable data

2011 iPad users hacked  Hackers pleads guilty to stealing data from 100,000 iPad users  Fake version of “Angry Birds” apps sent sensitive info about user to hacker to gain access to phone

What can we do?  Do NOT access banking sites over public Wi Fi connections  Do NOT leave “Wi Fi ad-hoc mode” on  Don’t download apps from 3 rd party app repository !!!  Check permissions of every app you download  Run it through secure app that will scan it from market to device…….

Scanning for apps NNorton LLookout BBitdefender NNetQin AAlso scan Facebook and Twitter!!!!