Android Driver Problems Solved

Processing of an Android device with a solution running on a Windows computer can at times be difficult. Not because of windows, but because of the many different types of Android device profiles available. At last count there were over 12,000 different types of Android profiles from smart phones to tablets to IoT. This can obviously create problems when connecting this device to a solution running on a Windows platform if the particular driver for that device is unavailable. Just Google “<device name> + driver” right? This typically will yield a plethora of results where 99% are either fake or a link to an advertiser. But first, why does an examiner need a driver anyway?

For any communication to occur a driver must be installed whether it be a keyboard, mouse and in this context, a mobile device. Simply, a driver is a piece of software that acts as the middle man – converting communication from a device to a format whereas the Windows OS will understand and move on to the targeted application. Think of it as a translation service. As mentioned, this is a simple explanation for one type of driver, but makes the point – Android ADB drivers are needed for an application to communication via the Windows system to the attached Android device.

An Android device must have ADB available when conducting a logical or physical collection (Of course JTAG and ChipOff are exceptions). Some may say ADB is not needed for a physical collection via USB because the device is locked and the examiner could not switch ADB on. So, since they could not enable ADB it therefore was not enabled and subsequently the data was still extracted. This is type of conjecture is generally false because solutions that utilize a bypass method for Androids are using custom ROMs or images that will enable root and thus ADB = ON. This allows for installation of vulnerabilities to obtain access to the device’s file system that is typically unavailable due to device permissions. So, again ADB is needed to access the device and as such a driver will be needed.

Instead of spending hours looking for a driver, an examiner should install the Universal ADB driver from Koush. This Universal ADB driver is hosted on the Github repository. There is not a need to download the source code and compile the application because an already compiled Windows installer can be located at the bottom of the page. This Universal ADB driver is updated continuously by Koush and has been used in many of my examinations when ADB drivers could not be found elsewhere. Koush is also the developer of the ClockworkMod that many mobile forensic solutions physical collection techniques are based upon and a frequent contributor to the Android community. This Universal driver is a package that contains the vendor (VID) and product IDs (PID) that have been rolled into a single driver and once installed are registered within the Windows system. When the examiner plugs in a device, ADB will now be recognized when previously Windows was unable to find a suitable driver. With ADB now available the device can be collected with the tool of choice.

Enjoy and Good Luck!

Posted in Information, Training | Tagged , , , , | Leave a comment

Burners and BackDoors

Throughout the evolution of mobile device examinations there has always been obstacles imposed by the carriers.  From locking a device’s USB port, to removing the ability of software to use development level protocols.  This is not a new tactic for carriers and has been going on for some time down.  By limiting access to the device, carriers can lower the cost of the device and then impose fees for the transfer or backup of the data to a designated server or utilize a custom firmware full of bloatware to recoup some of the device cost.   This method is not to eliminate an examiner’s ability to obtain the device data, but to save and make money.

Back while working as a LE examiner I had to constantly deal with Cricket branded Kyorcera devices that could not even be recognized by any software so a SPC code had to be utilized that allowed access to the underlying file system.  Then along came Trac and Virgin Mobile who introduced a few devices that also had this limitation.  Most of these devices have hidden menus that will allow for the service providers to gain access and make updates when needed.  The problem, finding hidden menus for these devices can be a lot of work!  They however, do exist.  Legacy Trac phones like to use the ##7764726290 code to enter the service menu which happens to spell out ##PROGRAMAZ0.  Virgin Mobile Legacy devices generally use 0000000 and then selecting option and then ##847446 which conveniently spells VIRGIN!  Of course, running into these legacy devices is not typical with our world swiftly moving to smart devices.  So what about some of these smart devices?

In today’s mobile device walmartizati0n, anyone can get a smart device for under $30 USD.  That means, these carriers need to lock these devices down in order to keep the price down.  Again, the ports are locked – but with Android devices there are also some things an examiner can look for to obtain access.
NOTE: Of course, there are many variables, but in this example has been used on several cheap Verizon Android devices.
The LG G2 VS980 is one of the tested devices.  The examiner first realizes there may be a problem when the device is plugged into the computer or mobile solution and see that it is not recognized.  This is baffling to the examiner because this occurs even after going into the settings and turning on ADB!  This creates a problem since the device must be recognized as an ADB device in order for communication to occur via a USB cable solution.  At this point most examiners believe there is one of two solutions – JTAG or chip off.  However, before going down that road an examiner should look for a hidden menu.

Some Android devices when they are plugged in have a menu that comes up with several options: Charging, Media Sync and Internet.  This menu is much different than what will be seen by a device that has not been subsidized. Typically devices will display only MTP or PTP choices.  In the case of this modified menu and selecting Internet the examiner will receive another menu showing Modem and Ethernet.  By selecting Modem the device will release the restriction on ADB since the device must use ADB for allowing the tethering to the attached computer.   Once ADB is visible – any mobile solution that is capable of processing Android devices will have success.

Looking for the hidden menus on these devices can allow an examiner that may not have access to JTAG or chip off skills or training the ability to process the device with a USB cable and their solution of choice.   Good luck!

Posted in Information, Training | Tagged , , , , , | Leave a comment

Mobile Forensics and Today – Interview with James Howe

The Mobile Forensic Examiner welcomed James Howe to the show.  James is a forensic examiner in Columbus and says digital evidence from mobile devices is used in just about every case.  Furthermore, he says smart devices account for 90% of his investigations and having tools that conform to the many different situations is critical.  Listen to how James uses tools to get the job done and uncover some great digital gold.

Posted in Podcasts | Tagged , , , , | Leave a comment

The Paradigm Shift

There is a shift in the force. Using a statement that most still understand, no matter what age group you might come from. This Paradigm Shift comes in the form of digital forensics, specifically mobile device forensics. Said simply enough, people want more. Examiners are tired with the push button approach and are wanting more, an ability to customize, the ability to control the examination, to control the bleeding edge of applications in mobile devices, and to have the power to uncover the smoking gun without first falling into the rabbit hole.

Automation is not a bad thing; it allows for repetitive tasks, training level fluctuations, time commitment and sometimes instantaneous results. On the other hand automated tools, without the ability of allowing the practitioner to control the examination, are tools that guess at what might be important to a specific examination, application and vector. As we all know, predicting the course of your examination is like predicting what your teenager might say to you when you ask them about their day. So pure automation that comes with mobile forensic tools is like guessing what you want to see, what application might be important to your investigation or what your examination should look like. Without giving the ability to conform to the task at hand you are relegated to subscribing to what a company believes is important to your investigation from their own research. So if their research does not show a mobile application is not in the top 10 from their polling of their “people in the know” good luck in handling that case with that tool.

As indicated in the title the times are changing. In my many conversations with actual examiners they are fed up with tools that only a give what the company believes is the needed information without allowing for a deep dive analysis. So, they are moving to tools that allow them to dive into the data, support any contingency and build support for themselves. Tools like AccessData’s MPE+ allow for all these contingencies because it is built by forensic examiners, by software developers that understand the need to give the power to the examiner and not guess as to what should be important.

Technology changes at a break neck pace and your examination today might involve a zero day application supported by no automated mobile forensic solutions. If that is the case, look for a tool that will allow you to adjust to these contingencies and allow you to take control of your investigation.

Posted in Information | Tagged , , , , , , , | Leave a comment

Training, Talks and Mobile Forensics – Interview with Glenn Baard

Today on the Mobile Forensic Examiner I spoke with Glenn Baard the CTO for PATC.  They not only train on mobile forensics but also still work forensic cases for many LE agencies that either do not have the tools, or experience.  Glenn has some great experiences under his belt so take a listen as we discuss mobile forensic trends, software, MPE+ and the new nFIELD.

Posted in Podcasts | Tagged , , , , , | Leave a comment

Supreme Court, Mobile Devices and Forensics – With Tyler Clarke

Fantastic talk today with Tyler Clarke with Reno Police.  We spoke about the recent Supreme Court Decision, Mobile Forensics and where it is going, today’s digial data and much more.  I have to say speaking to Tyler made me want to jump back into the examinations again.  Enjoy.


Posted in Podcasts | Tagged , , , , , , , | Leave a comment

The Time Argument, Mobile Forensics

In the beginning there was a bit. The bit turned into a byte. That byte rapidly turned into a kilo. The kilo turned into a mega, the mega into a giga, and the giga into what we know today as a tera. Sounds like an interesting name game, but truthfully each name means extra time to the forensic examiner, extra data, and most of the time, extra headaches. As a digital examiner, I saw firsthand how the progression of large data sets in digital investigations put a damper on both information collection, as well as the investigator. The first examination of a floppy disk could be turned around in a day. A 500MB drive required a week turn around. A large gigabyte drive took multiple weeks, and larger data sets require longer processing times . Since the amount of cases involving Big Data did not stop I began to see backlogs stack up, causing frustration in many of the people requesting the examinations. We dealt with this problem by changing the way we conducted examinations, not by short-cutting the forensic process, but by focusing just on the information requested.

​     Mobile devices hit the scene requests for information began to pour in, and the same progression was seen. The mobile devices which contained only 10 kb of data were collected to yield the requested data of contacts, call logs, SMS, and media in a matter of minutes. The people requesting the data were so excited about this new technology that the requests for this data soon outnumbered requests for computer examinations. Grab the phone, dump the data, and create the report in 5 minutes or less. Since the requests began to pile up, doing 10 phones a day was not uncommon and those requesting the work soon grew tired of waiting in line, so the examination of mobile devices moved away from the lab and into the field. This shift is the most significant difference between a computer forensic examiner and a mobile device examiner. The problem with this shift is that the time taken to examine a 10 KB mobile device and a 64 GB iPhone is no different. Granted, the time to collect the data might be from 5 minutes to now 20 minutes but the outcome is the same, surface data. Agencies are now saving time and allowing the person in the field to conduct the collection and field triage. As you notice I did not say examination because most tools that extracted the first mobile devices give the same output as they do with the 64GB device. This is simply because the field only wants actionable intelligence and has grown accustomed to only getting that “tip of the iceberg” data. What is not yet obvious is that this does not have to be the case. Wouldn’t it be beneficial to extract all data, give a report of actionable intelligence and allow the examination of additional data at a later time? A detailed examination that can be conducted by investigator training in digital evidence that might have the time to look for that needle in the haystack? Using Mobile Phone Examiner Plus nFIELD™ (MPE+ nFIELD™) can do that.

MPE+ nFIELD allows the logical and physical collection of mobile devices with little training, little knowledge or experience. Select the item you will be collecting (Figure 1.) Select the items to extract (Figure 2.) and the data and report is then available at the saved location (Figure 3). The most important feature comes in the form of data integrity. All the collected data is then saved into an AD1 file. This AD1 file is an evidence locker that will allow the collected data to not only stand up in court, but will allow the information to be further analyzed in the full feature MPE+. The person collecting the data on-scene gets their report immediately to gain actionable intelligence while the integrity of the evidence is not compromised and a full exam is still possible.

nFIELD Device Selection

Figure 1. MPE+ nFIELD Evidence Collection

Extraction Capabilities

Figure 2 Select items to extract

Extraction Complete

Figure 3 Extraction complete!

​     TIME is very valuable in the age of digital device examinations, but obtaining critical data and allowing for full examinations if needed is mandatory. We all understand that mobile device examinations are becoming more and more important to any investigation, but we also recognize that the data recovered must survive the scrutiny of the court. AccessData responds to both challenges with the new MPE+ nFIELD solution.

Posted in Information, Products | Tagged , , , , , | 1 Comment

Mobile Security for a Nomadic Workforce

The corporate environment of today is reliant on the mobility of each of its employees or team members. By mobility I mean ,each member of the corporation’s team must  be in contact with each other at all times, at a moment’s notice. In order to maintain this connectivity,team members must use devices that can allow them to be untethered and unhooked from the standard ethernet cable, and out in the fast-paced land of device mobility. To do so, they have adopted the use of mobile devices ranging from the iPad and Galaxy Tab to smart cell phones such as iPhone and Motorola Droid.

These mobile devices are so powerful and versatile, that companies are no longer issuing laptops for employees to take into the field,but are now relying on mobile cellular devices or tablets to provide what is needed, work efficiency and mobility. Leading information technology influencers, like Gartner Research as well as renowned news sources like Forbes, and BusinessWeek, have all published reports on mobile devices vs. laptops/PCs in today’s work environment. These reports point to the demise of the outdated PC and the increased usage of new mobile devices. This blog is a perfect example of this statement, as it  is being generated, created and edited on a mobile device with a portable keyboard.

The power that a mobile device user has in his or her hands is unprecedented, however with that kind of power should also come responsibility, right?  So, what does the power of mobility, the device distribution, allowance, and governance, have to do with responsibility? It should come as no surprise that the mobile device of today is not the antiquated device of yesterday. Today’s mobile device user can send, transmit or even take a company to bankruptcy, anywhere in the world, with a single tweet, post or picture taken with his 10 megapixel mobile device camera. What are companies doing about it? Companies are using Mobile Device Management software, also known as MDM, in an effort to detect, monitor and prevent data breaches and information leaks. Is MDM the answer to the investigation of a data breach?

Let’s take a look of the Evolution of MDM.  MDM was first introduced in applications or wrappers which allowed the user to utilize the MDM application to conduct the “work” via the mobile device. This would assure all “work” would be safe within the MDM application. Both the user and the corporation felt safe that important company information was not being leaked or transmitted. MDM was a safe way to provide employees with the opportunity to work while on the road without the risks, other built-in unsafe applications used for email, SMS, etc., could bring to their security.

The next step in the MDM evolution was the introduction of a full administrative tool. When the MDM software application was installed, it would monitor the device for approved applications, reset the device should it be lost or stolen, monitor and capture data sent to an administrative server. This is not an exhaustive list of all of the features an MDM software can provide, but it does mimic what a BES (Blackberry Enterprise Server) has done with Blackberry devices for years.

The problem with the onslaught of MDM software in the corporate environment is the false sense of security it may bring when a critical incident occurs. MDM software providers should be the first to admit their software is not made for incident response. However MDM software will be a reported 16 billion dollar industry by 2016, so why would they rush to admit their shortcomings? In the BYOD world, the MDM solution cannot operate outside of the company’s predefined applications, leaving the other applications running on the devices open and unsecured.  So, where do you think insider threats, malware and security breaches are likely to come from?  How do companies maintain security outside of the MDM “wrapper” when a breach occurs? Quite simply, they cannot.  This is one of the main reasons AccessData has incorporated mobile endpoint monitoring (Mobile EM) capabilities into the ResolutionOne™ Platform.

Mobile EM integrates into the ResolutionOne and CIRT™ platforms to provide comprehensive visibility (detect threats and data leakage), data intelligence and resolution across mobile devices. It allows enterprises to utilize their current MDM or MAM software to set mobile device policies. As an industry first, it also enables real-time proactive mobile endpoint monitoring solution that MDM software solutions simply cannot provide.  The big key take-away is proactive.

Companies have suffered too long by reacting to security incidents resulting in enormous consequences.  A recent study sponsored by AccessData and the Ponemon Institute, shows that 86% of respondents found the detection of a cyber-attack takes too long putting companies at a significant risk. The study also found that 86% of respondents viewed mobile e-discovery and mobile analysis as a difficult process when tied to a company’s breach investigation.

Mobile EM agent is delivered to iOS and Android device/endpoints that are connected to the enterprise’s network via a MDM or MAM application catalog. The devices are then monitored by the ResolutionOne™ platform where network communications and mobile device data is captured at predefined intervals. The data is auto-correlated with the integrated, customizable ThreatBridge engine’s threat intel library to identify any known threats such as malicious IP addresses and Domains along with known malware. It also detects unknown threats by providing visibility into network communications and running processes, so anomalous activities can be identified and remediated.

Filling the gap between MDM and IT mobile security visibility, ResolutionOne Platform with mobile endpoint management delivers the first true mobile forensic and security solution needed in today’s nomadic workforce.

Posted in Information | Tagged , , , , , , , , , , | Leave a comment

Mobile Device Data In a Big Data World

Today’s world is becoming more and more mobile every day. In fact, 91% of all people own a mobile device and 56% own some type of smart device. It is no surprise that today there are more mobile devices on the earth than there are people! Equally impressive is that the amount of data we consume is becoming increasingly focused on mobile devices. In fact, according to Pew Research, 55% of all internet traffic in the United States is from a mobile device, which is a first for overall internet traffic.   Mobile data is not just a part of the Big Data world; it is one of the largest contributors. Mobile device data, particularly smart devices, will contribute to approximately 8 zettabytes of data by 2015. To put a zettabyte in perspective, think of 250 billion DVDs containing around 36 million years of HD video. The total data would equal approximately 1 zettabyte. With these statistics in mind, it would make sense that every digital investigation scenario will contain data from mobile devices. With that being said, collecting and analyzing mobile data is not only vital, but paramount to solving today’s crimes. Mobile device data, combined with data from other big data repositories, like hard drives, network shares, and offline servers paints a much better picture than relying on a single source. So, what types of mobile device data are most important to investigations? The answer to that is quite simple, everything! From the standard SMS, MMS, Contacts, and Call Logs to the meaty data involving the posting, sharing, commenting, chatting, bashing, liking, favoriting, tweeting, and browsing in social media to the locating, logging and storing files in applications. Factor in that all this data is stored on the device, and not on a network server, with your mobile provider, or your company. Now, multiply the fact that most of today’s communication occurs outside of the normal SMS/MMS via messaging applications, and you realize a mobile forensic solution that can effectively uncover this important data is now a necessity. A perfect example of this happened recently when I spoke to a group of over 200 forensic examiners. I simply asked them to raise their hands if they had examined a mobile device for an investigation. Immediately hands shot up from over 80% of the attendees. I asked them to continue to leave their hands up if during the last examination of a mobile device they looked at any application data from third party applications on the smart device. Only 5 hands remained up. That is less than 3% of the attendees, which is typical, if not a little high, for the normal educational seminar I conducted. Mobile device hardware, operating systems and applications are advancing at a pace never seen before. Should not our investigative tools and priorities advance as well? The ability to search and recover mobile data from applications on smart devices is difficult and often limited when using current mobile solutions. Research shows that only 5 to 10% of the entire user data area is examined by typical mobile forensics tools. This leaves 95% of application data unanalyzed, and a lot of times uncollected. The net result shows that most examiners have minimal insight into the mobile application data because of the lack of support of their current tool, the lack of time and the lack of training. Current software tools simply extract contacts, SMS/MMS, call logs, media and possibly email. Some go as far as capturing URL, browser data, Wi-Fi information, and some application data. As for analyzing applications, most solutions allow the parsing of only select applications, limiting examiners to obtain evidence from about .002% of all applications available. In other words, the average forensic tool supports about 30 applications out of a total of 1.6 million iOS and Android apps. Of those 30 applications, the forensic solution is at the mercy of the developers’ upgrades, schema changes and table changes. With these ongoing mobile device application updates, the application is no longer supported by the forensic tool and further technical development is needed. AccessData’s Mobile Phone ExaminerPlus™(MPE+)breaks this mold allowing the parsing, extracting and reporting of any and all mobile applications. MPE+’s SQLBuilder™ (Figure 1) allows examiner to parse the data of all applications containing a SQLite database. If the data is held in a JSON string, MPE+ allows you to customize scripts by utilizing the pythonScripter™ (Figure 2), a feature that helps you build python scripts easily and without any scripting experience. If the application’s files are new and unknown, examiners can build their own script to extract and analyze the application data. In today’s big data world, customizable user features are very important as they give power to the user to mold the analysis to the task, without allowing the software to dictate how and what they are to extract and analyze. Figure 1 – MPE+ SQLBuilder   Figure 2 – MPE+ pythonScripter   Understanding that we live in a big data world and realizing the fact that mobile forensic examinations now contain data in many different forms and formats will ultimately lead to investigative success. Data can arrive in physical image files, flat binary files, individual files or folders, and proprietary forensic tool formats. With this in mind, AccessData’s MPE+ allows the import of these many different images. MPE+ automatically recognizes the various formats, i.e. iOS and Android file systems, and quickly allows the critical user data to be extracted. Not only does MPE+ automatically parse the standard user profiles, but also allows for a deep analysis of the application data contained in the mobile device filesystem. Understanding that mobile device data is just a piece of the big data pie, any image can be included into the overall digital case while utilizing AccessData’s MPE+. This digital case can then be opened in AccessData’s Forensic Toolkit® (FTK®)if additional digital data images like computer hard drives, server data, RAM fragments, flash drive and any other digital data source. This allows the power of all the AccessData tools to work together to harvest the relationships and paint the collective picture of ALL the relevant data within a case. In today’s big data world being prepared for the collection and analysis of mobile device data is the first step to gaining a clearer picture of today’s data.In today’s Big Data world, AccessData’s MPE+ not only helps you obtain data other solutions miss, it also empowers your investigation with “industry first” advanced analysis capabilities no other mobile forensic tool offers.

Posted in Information | Tagged , , , , , , | Leave a comment

An Interview with Robert Dare on EDiscovery and ADUC

Today’s podcast was with Robert Dare a forensic examiner working in the corporate environment.  We talk about his views on mobile devices in the ediscovery world, his usage of AccessData’s Mobile Phone Examiner Plus (MPE+) and the Access Data Users Conference.

Posted in Podcasts | Tagged , , , , , , , , | Leave a comment