1. Advanced Techniques in Forensic Examination of Smartphones 2012 (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

2. Worldwide smartphone sales Source: Gartner (November 2011) Smartphone market increased by 42% during just 1 year! (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

3. Top smartphone vendors - 2011 Source: Gartner (November 2011) (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

4. Smartphones  What information is stored on a modern smartphone? (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

5. Cell phone Address book Planner & Organizer Messenger Photo & Video camera GPS navigator Web & IM client Platform for 3 rd party apps (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone is a small PC

6. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Cell phone IMEI/ESN/Serial number Hardware & Software revision Network information Basic Information Incoming, outgoing, missed calls history Sent & received messages history GPRS & Wi-Fi sessions log Event log IMSI Phone numbers* SMS messages* SIM card * - Usually these features are not utilized by smartphones

7. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Address book First, middle, last name, nickname, joint name, company, department, job title Photo and personal ringing tone Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk Postal addresses, Web pages and e-mails Different contact sources (Android) Number of calls (Android) Text notes Private info: birthday, spouse, children Custom field labels (Symbian, iPhone OS) Multiple fields of the same type Creation and last modification times (Symbian, iPhone OS) Contacts information List of caller groups & belonging contacts Caller groups List of assigned speed dials Speed dials

8. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Planner Meetings, reminders and anniversaries Start date & time Finish date & time Alarm date & time Recurrence Last modification date & time Calendar events Task description Deadline Priority Alarm date & time Completion date & time Tasks Note text & date Notes

9. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Messenger Text messages (SMS) Multimedia messages (MMS) E-mail messages with attached files BIO messages: vCard, vCal, configuration and others Beamed messages: files sent via Bluetooth, IR or USB Standard message folders Custom message folders Date & time Service center timestamp for incoming messages Information about deleted SMS messages (Symbian, iPhone OS) Messaging system

10. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: GPS navigator Last fixed GPS coordinates Search history Routes history Last displayed map Saved maps List of favorite places GPS Navigator GPS coordinates in camera snapshots* Cell coordinates in camera snapshots* Cell coordinates for camera snapshots** Cell coordinates for video records** Cell coordinates for SMS messages** Location tagger * - Available in EXIF header for almost all models having GPS receiver ** - Available in several Nokia smartphones and Sony Ericsson devices

11. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Web client Web cache files Bookmarks Pages view history Last opened URLs Search history Cookies Web browser IP, Login (UID, e-mail) and password* Contacts list Chat history Calls history IM client * - Available for some IM clients

12. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Camera snapshots Video clips Voice records Sounds and Podcasts Wi-Fi networks list Paired Bluetooth devices list Activated SIM cards list VPN profiles Operating System apps List of installed applications Office documents Application logs & data files 3 rd party apps Smartphone as: PC

13. Extraction  What data extraction methods are available for mobile devices? (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

14. There are 2 standard ways to get forensic information from smartphones: logical and physical analysis (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Standard extraction methods Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter) Logical analysis Data extracted using direct memory reading (hex dump) Smartphone (or its memory chip only) connected to special hardware Physical analysis

15. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Logical analysis for smartphones General phone information Contacts (simple), calls*, SMS, settings* AT+ General phone information Nokia FBUS General phone information Files* OBEX General phone information Contacts, calendar, notes, settings*, bookmarks, messages* SyncML 1) The information extracted by all logical protocols is only the top of the iceberg 2) All logical protocols were developed for data synchronization General phone information Contacts* Calendar Notes Calls history Messages* Files* Settings* Bookmarks * - Available data set is restricted and depends highly on manufacturer implementation Caller groups Custom field labels Speed dials Messages from custom folders Event log Deleted messages information Service center timestamps GPS information Location tagged data Web browser data IM client data 3 rd party apps

16. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Physical analysis for smartphones What to do with gigabytes of that?

17. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Standard extraction methods: Summary Physical analysis All information can be extracted Hard to perform Very hard to analyze Expensive software, special hardware needed Logical analysis Few information can be extracted Easy to perform Easy to analyze Affordable software, no special hardware needed

18. In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com How to extract data without a headache? Physical analysis All information can be extracted Hard to perform Very hard to analyze Expensive software, special hardware needed Analysis using Agent application Most of the information can be extracted* Easy to perform Easy to analyze Affordable software, no special hardware needed Logical analysis Few information can be extracted Easy to perform Easy to analyze Affordable software, no special hardware needed * - Agent can extract all the information available for native OS applications

19. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Agent application usage General phone information & SIM card data Contacts with all fields and custom field labels Caller groups & Speed dials Event Log Calendar events Tasks & Notes Messages from standard and custom folders Deleted messages information Service center timestamp Camera snapshots, video clips and voice records File system GPS & Location tagged information Web browser cache & bookmarks IM clients data 3 rd party applications with their information - Protected operating system files - Memory dump

20. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Afraid of writing to device? Comparison of phone content changes when performing analysis using different approaches SyncML protocol usage Setting up sync parametersInstalling extra sync add-ons*Running SyncML server SyncML server generates synchronization log files Agent application usage Loading Agent to deviceInstalling AgentRunning AgentUninstalling Agent** * - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS) ** - Agent does not generate any log files Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.

21. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Summary Smartphones are a considerable part of mobile device market FutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008. Smartphones store much more important forensic information than plain cell phones Being a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3 rd party applications. Standard extraction methods are less effective for smartphones All logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time. Agent application usage is the golden mean The Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and user- friendly format that is more like a logical analysis.

22. Oxygen Forensic Suite 2011 www.oxygen-forensic.com Oxygen Forensics for iPhone www.iphone-forensics.com +44 (0) 20 8133 8450 (UK) +1 877 9-OXYGEN (USA) Oxygen Forensic Suite is the trademark of Oxygen Software. Oxygen Software LLC was founded in year 2000 and since that time our business is a PC-to-mobile communication. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Interested in more details? £499 Standard £899 Professional £1499 Analyst