Android AGPS Track Observation

Posted on August 20, 2011 by Lee Reiber

An interesting tidbit on the Android AGPS capability was discovered when just driving around testing the Faraday Pouch from forensicfonefabric.com. First, the Faraday Pouch is an easy way to drop your device into the bag, snap the metal closure like the old school plastic clams you put your change in; pinch the edges and it opens up. Also, the bag has a see-through mesh front which allows you to watch the device to check the phone status and move the keys to quickly put the device into a standby mode. Once in standby mode you can remove it and do your processing; isolated from the massive cell signals. Enough about the pouch, lets talk about the testing.

So, the device I used was a Samsung Fascinate running Android FroYo. The device was fully charged and operational. The test was first targeted at not only celluar signal but the GPS signal; the aim was to see if AGPS signals are blocked as well.

I initiated an application for running called Runtastic and immediately was shown the blue dot on the screen at my exact location, my office. Runtastic allows you to not only track the route, but also the time and miles. I jumped on the road and at approximately 1 mile away from the start I checked the device. On the map the blue dot was now hovering at my NEW location, showing a blue track from the start to my current location. All seemed to be working correctly with the device and the Runtastic software. At this new location I placed the device into the Faraday Pouch from forensicfonefabric.com. I observed the signal bars dive to none and I then continued my journey. Immeditely I noticed that the blue dot still remained at the location I had placed the device into the pouch. This was what I believed would occur, but I continued to monitor the blue dot. The time on the device continued to advance but the mile indicator remained the same. Again, this was not a new revelation and of course was expected. I completed the journey and arrived back at the location I had started, my office. It was when I removed the device from the pouch that I had the, “huh?” moment.

When the device was removed it regained it’s signal from the carrier and I watched the Runtastic application show my current posistion via the blue dot; of course this was expected. It was when I noticed a new path emerge from the location I had placed the device into the pouch and back to my office, I dropped the brick. The device, or application, actually filled in the track; even showing the path in blue! Let me break this down a little farther. I looked at the overview map that showed the inital path FROM the office to the point where I placed the device into the path and then BACK to the office along the same route. What was missing was the track from the place I placed the device into the pouch and the additional 1.5 miles when it was isolated. And when I removed the bag it FILLED IN the path by estimating my path from the location I placed the device in the bag BACK to the OFFICE, still missing the other 1.5 miles. So the device appeared to assume I just had stopped and turned around, going along the same route back to the OFFICE where the signal was again picked up. What are the implications as an examiner?

The implications of this find when we might be conducting an examination of the device began to start to pile up. For example, what if the owner of the device you are examining for a criminal trial suddenly lost service and then it was picked up again? The device, believing it is smart , fills in the missing data, and completes the trip connecting the dots. We extract this data from the applications cache and put it together for trial weighing our testimony on this particular find when the data might just be a guess by the device. As I found on my own track, this data quite possibly might not be the actual street or path taken. A huge deal for court purposes. How can we overcome this find?

Knowing that service might have been inhibited, either by manual manipulation or network issues, it should be very important to determine if the device had network connection at the time of the incident. This can be done by looking at data usage at that particular time, as in calls made/received, packets transmitted, SMS/MMS and others. If this research yields that the device did utilize these services at that particular time we can assume the AGPS signal is valid. If we cannot ascertain this information you should use ANY location services very cautiously when examining devices capable of storing this kind of data.

This phenomenon is also evident with iOS devices as well when using the consolidated.db file. I will also be testing the Runtastic application for this OS as well using the same methods as outlined for the Android device. I will also be looking at other location based applications using both these operating systems because this information if not explained can come back and haunt us should we use it without corroborating with additional evidence.

Posted in Training | Tagged , , , , , | Leave a comment

Elcomsoft – iOS 4 Bricks

Posted on July 20, 2011 by Lee Reiber

I receive this email today and thought I would get it out to those that are looking into the decryption software for the iOS4 devices.  You might want to wait until a fix or another product comes out.   Read on…..

————————————–

Dear Lee Reiber

iOS 4.3.4 (4.2.9) Will not Start After iOS Acquisition Toolkit Have Been Used on the Device
Issued: July 20, 2011

Summary

On July 16, 2011 Apple has released iOS 4.3.4 for iPhone 3GS, iPhone 4 GSM, iPad, iPod
Touch 3rd and 4th generations and iOS 4.2.9 for iPhone 4 CDMA.

These new iOS versions have additional checks to detect if other iOS version have been
used to start the device. If iOS detects such situation, it enters Recovery Mode and asks
user to restore device firmware using iTunes.

iOS Acquisition Toolkit is based on iOS 4.3.3 (4.2.8) and thus loading Toolkit on a device
running iOS 4.3.4 (4.2.9) will prevent the device from booting normally after you have
finished working with the Toolkit.

Please note that Toolkit is capable of doing acquisition of devices running iOS 4.3.4
(4.2.9). The problem arises when the device is rebooted after using the Toolkit ­ it enters
the Recovery mode. Toolkit still can be loaded on the device by following usual steps.

Resolution

If you require the device to remain bootable after acquisition please avoid using the Toolkit until the problem is resolved.

If you have already have an iOS 4.3.4 (4.2.9) device in Recovery Mode as a result of
loading Toolkit or other third-party tools please exercise extreme caution when trying to
resolve the issue as doing this incorrectly will lead to NAND being reformatted.

Affected Products

+ iOS Acquisition Toolkit version up to and including 1.04

+ iPhone 3GS with iOS 4.3.4
+ iPhone 4 (GSM) with iOS 4.3.4
+ iPhone 4 (CDMA) with iOS 4.2.9
+ iPad with iOS 4.3.4
+ iPod Touch (3rd and 4th generations) with iOS 4.3.4


Sincerely yours,
ElcomSoft Co.Ltd. team

Posted in Training | Tagged , , , , , , , , | Leave a comment

Trouble on the plains

Posted on June 27, 2011 by Lee Reiber

I figured it would be fun to start putting out some assistance blogs to help examiners coming into the field and maybe some that have been in the field for a while. I miss the training courses so I figured I would throw some help out into the all knowing Internet.

Ever have a phone not respond to your mobile phone software that you paid mint for? If you have not, trust me you will. Here is the scene:

You hit the connect button, nothing, you unplug the cable, nothing, you hit the connect button again, nothing. First you look at the supported phone matrix and it says it’s supported. Now you are fired up because you just used. Free program that extracted it just fine. You now decide to call support; they say it’s supported, walk you through what you have already done and still no joy. You are now to the point of blacking out from rage. You laugh, But I know you have been there because I have been there. Before you go 300 on anyone lets look at the issues with possible solutions.

Do you have other cellphone software running?

Because of COM envy (we all have it) only one piece of software can have the port open to communicate with the device. Shut down other software and only allow one software title to take hold of the COM port.

Can you query the phone modem via Device Manager?

If yes, cable is good and response from phone is good
If no, check cable and phone port

Did you just extract with another piece of cellphone software?

Other software has placed the phone in diagnostic mode, shutting down COM from the new application trying to do the same thing.
Power cycle device
A simple on/off will not suffice – remove battery count 10 mississippi (optional) and restart.

Does the phone support mass storage mode?

If in mass storage mode cellphone software will not communicate.
Use manual to locate if phone supports modem/PC mode.

These little tidbits could help you to not belittle your work mates, throw things at your boss, throw the phone out the window or just give up on cellphone forensics.

If you want even more help on these problems and more run to a Mobile Forensics Inc training course (shameless plug).

Talk to you soon.

Lee Reiber

Posted in Training | Tagged , , , , , , , | Leave a comment

Divulging company secrets and IP unknowingly?

Posted on June 1, 2011 by Lee Reiber

How many employees in your company are assigned cellular phones? The number across the United States alone is alarming I am sure. Of course we tell ourselves that knowing where our employees are during working hours and allowing our employees to be more productive is a small price for the monthly bill. Lets now think about what kind of risks do we expose ourselves to as owners of these companies.

Some that immediately come to mind are:

Company espionage
Intellectual Property theft
Personal “spillage”
Human resource complaints

The list goes one, but let’s just talk about the simple ones that jumped to the forefront.

How easy would it be for an employee, issued a smart phone, to photograph, forward a company email or video events, sure to undermine the company, while covertly sending the data to the competitor. This could happen while in the presence of any non suspecting employee; the spy never uncovered.

How about an employee who hears of a revolutionary advance in their company’s software design and knowing the company email is “monitored” decides to photograph the electronic document on the screen. Of course not with a standard camera, but the one issued by the company; a 5 megapixel smartphone even capable of scanning documents. Most certainly untracable the employee believes because all data will be deleted once the photograph is sent via their gorilla-mail account; the personal mail account they setup on their issued company phone. The photograph then goes to the highest bidder.

Personal “spillage” easily occures when an employee uses the company issued cellphone to text message, photograph, search the internet, surf the web, blog, etc to conduct personal business. The “spillage” occurs when their personal business becomes public business and the company is then put in the spotlight. Can you say Bret Farve? Granted, Farve’s phone was not issued by the company for all I know, but the picture is easily painted ( or imagined).

There are always the human resource issues with regards to allegations of mistreatment, sexual harassment and the like that have occurred via messages, pictures or calls in the workplace using company issued cellphones. One employee alleges that something was sent to them by another employee’s cellphone, but the acused employee adamantly denies they sent it. The only evidence sits on the company electronic device that was issued to them.

Now comes the challenge; extracting the data from these devices in a forensically sound manner.

These are only but a few examples of what the electronic business age has brought us. Does this mean we deny our employees digital devices to use in our employment? Get rid of a device that keeps our employees more in touch, easily accessible and more productive? I would hope not. What these examples should spark is how we distribute our electronic devices, how we cultivate the data contained on the device and more over how we analyze the data should we have to.

Lee Reiber

###

Posted in Training | Tagged , , , , , , | Leave a comment

TIME and Distributing Work

Posted on April 26, 2011 by Lee Reiber

As I start the journey to Sydney for meetings I thought it would be no better time to work on another blog. I thought I might touch on attacking the TIME issue again. I had a live webinar with Officer.com this week wherein I spoke about this very issue. First, a huge THANK YOU to Officer.com for giving me a chance at the online platform and secondly THANK YOU for supporting the LE officers around the globe with your services.

So TIME; yes it’s a four letter word in forensics similar in sting to any other expliative one might hear. Its really due to the demand we as examiners see due to the inundation of digital evidence on our desks or in our labs. Glorified on TV and in movies as the smoking gun as well as the proliferation of devices in our world; we are slaves to the request of these falsely educated requestors of “on CSI they did it”. So now piled up in our evidence rooms, desks and trunks (I hope not) are digital devices set to be examined which range from cell phones to refrigerators. If it contains a chip it must contain evidence right? Well my concentration and focus in this blog will be of course cell phones, but I hope some of this can be used for the next ‘fridge you run into.

Distribution of labor is a concept used by many companies to “share the work” and become more effective and efficient. This is an easy concept really when we think about it; what better way for someone to focus but give them smaller portions. So using this model the workers can concentrate and focus on their small assigned task, but under the hood they are completing the piece used later to complete the entire project or solution. This is why the distributed processing model is used so well with AccessData’s forensic software. The examiner can use multiple computers to process the data with each core taking an assigned thread while the others are churning out other threads. All are concentrating or focusing on their task, the data thread, which amplifies the efficiency plus reduces the TIME element. Same would be evident in the usage of AccessData’s LAB product where we are now talking about users. Like TRON, throwing Users in the mix usually messes up the Programs (current movie on the plane sorry). Well, using LAB takes the Users non focused, non procedural, overwhelmed with evidence, and huge TIME commitment away because the task is no longer individualized. Distribution allows tasks to be assigned to each User and allows individuals to now focus on what they have been assigned; not wandering down the road of a Users fascination with all the rest of the data in the case. Efficiency and accuracy of the examination when distributed to Users increase exponentially by lowing the burden of TIME and data overload on the User (examiner). So does the distribution of labor mean we do not conduct a proper extraction? That we only extract the email, or internet history when we “image” a computer hard drive? Of course not, we obtain all data that we can; typically a bit by bit copy of the device storage medium. It is the examination that shapes the evidence by extracting the data that pertains to the case.

Why am I focusing on distribution of labor when I am talking about cellphones? We all know that one person is usually extracting and analyzing the data from a cellphone right? It could be a first responder on scene or an examiner back at the office. Technically, that might be true but ultimately that should not be the case. Let’s put a twist on the distribution of labor with regards to a small handheld device being processed in today’s world, using today’s tools.

A typical scene for cellphone forensics is this: A first responder shows up to a scene with multiple devices and begins to extact the data from the devices. Same would go with phones brought to the examiner in the lab. Reports are completed which typically contain only data I call “user data”‘ i.e contacts, call logs, sms, calendar and media. Simply obtained and jammed into a csv or html report after the extraction.

What is the first reponders or front line warriors primary mission? To protect, settle the scene and move on to the next call. TIME is never a luxury for them and the quickest, easiest extraction method for a digital device is all that matters. I am a big proponent of a first responders job not being a forensic examiner, but if we distribute the labor and not neglect the collection we all win.

Here is an example in todays quick and dirty analysis eyes. A first responder or street officer arrives on scene and his or her job is to quickly collect the data from a cellphone sitting next to the body. The phone’s contents are “dumped” quickly on scene; extracting contacts, SMS, media and callogs. This data is saved as a csv file, an html file or both. That output is then sent to the prosecutor for review and the phone is booked into evidence. Because of the work overload and and TIME commitment to extract the phones filesystem with the user files this step was not completed by the first reponder. Later while dealing the case, the prosecutor quickly looks at the case and the first responders case report on the cellphone. Because the prosecutor is looking for a specific MMS message and does not see it contained in the first responders report the case is settled without using any of the first reponders cellphone work. Granted, there were some phonebook entries and SMS that helped the case to settle, but later another trained forensic examiner was asked to look into the evidence from the device because now they had TIME. Remember, the filesystem was not extracted the first time due to the admitted lack of TIME of the first responder so the device had to be reacquired. Once the phone was reacquired the user information was AGAIN extracted but also the available filesystem. Needless to say the second examiner was duplicating the original work of the first examination in obtaining the user data, but this time had the embedded filesystem as well. The second examiner had to use another tool (FTK) to the carve and parse the phones filesystem which was only extracted in the second examination. To the suprise of the prosecutor (after the second examiner contacted them) the MMS was there with the criminal image and text content easily visible in FTK from the phone’s embedded filesystem. Too late came the informtion as I mentioned earlier; the prosecutor had already sealed a deal. That is an everyday occurrence in today’s cellphone world. Should it?

What can be taken from this real life example? One immediately evident fact has to do with the topic, TIME. Could this have been solved on the initial extraction? Maybe distribute processing tasks? Have the first responder conduct a FULL extraction, but only obtain the artifacts requested, say phonebook and SMS. Then have a more trained examiner just analyze the filesystem? That could be a solution. The first responder or examiner extracting the device can obtain and report on what they need, but also another examiner can import the forensic container and examine the data at any time. How about a cellphone tool with a built in carving solution. So extraction and file carving all wrapped up in one. That would have solved the embedded image in the MMS.

Having another examiner examine the device and extract AGAIN is another issue in both TIME and data integrity. Why not just give them the data files from the first extraction. Well, most cellphone tools output in a format not typically seen as forensic containers. Some examples are csv, html, zip and bin files. All are not good alternatives for a forensic container. Having a tool whereas an initial extraction is all that is needed, sealed in a container that is recognized all over the world as a forensic container. Having this ability protects the chain of custody and allows an extration to only have to take place once. Any amount of change, however small, will change the digital finger print of that forensic container.

Now lets analyze this in the sense of distribution of labor. Back to the TIME committment this is all about. As you can see there are tools available that can be the best of both worlds, one for easy acquisition and also deep artifact data mining for that needle that everyone complains they dont have time to look for. Devide the work by task design, not double the work by duplication of labor. Focus on what is needed for the “push button” extraction but also understand there are tools available that can allow a quick preview and reporting of the data but not at the cost of an examinations TIME commitment and data integrity.

Thanks for reading.

Posted in Training | Tagged , , , , , , , | Leave a comment

DoD and Date\Times

Posted on January 24, 2011 by Lee Reiber

Heading to the DoD conference with not only a level of excitement in presenting on Thursday but also about seeing the “regulars”. From Cellebrite, Microsystemation, Susteen and others who regularly attend the conference it is always interesting to hear about the things that have happened since last we got together. Some of course are more guarded than others primarily due to my relationship with AccessData and what I do or they believe I do. It is a time I usually end up having to explain myself and justify my work for the community on a whole to some, but if it makes a relationship better then all is good. Although, I find it terribly tiring to do it every time we all get together. The mobile phone community is extremely volatile to the point of paranoia. Primarily due to the currency involved, the bottom line, the mighty dollar. Ok let’s get some education into this blog.

Date and times are always important to any type of examination or investigation. In our mobile phone training courses, both online and in the classroom, we talk about the value of seeking the truth. The truth I will touch on are the truth in dates and times in cellphone examinations. Mobile Forensics Inc I would say pioneered the addition of carving for these artifacts in our training offerings, starting with our 202 course (I am sure I will be corrected if I am wrong).

Why are dates and times important when software already parses out that data for me already? Well let’s answer that with a few bullets.

Most software reports date/time arrival to handset, which could be drastically different than the sent time (we are talking about SMS for this example)

A lot of dates/times cannot be parsed by software. This is usually due to the developer not knowing the format or location(s).

Software reports incorrect date/time due to the many different types of formats.

Deleted data might have a truncated date/time which is not picked up by software.

A lot of mainstream software will take the file date and display that as the SMS date/time. Now this could be extremely close for outbound SMS, but for incoming messages this could be very far off. And if I want to know the date/time the bad guy sent the message to my victim’s phone then I better start my hunt. A rule of the thumb I always use before diving into the HEX in the handset’s filesystem will be to determine if the date/time show up on the device along with the message. If this is the case, it HAS to be in the phone’s data right? Well, yes it does, but the format it might be in is the difficult part. This, along with where in the file the artifact might reside.

Another issue you will face is the problem with becoming overjoyed with the location of a date/time format on a LG-VX5300 only to be at square one when you look at a Motorola V3m. It is tedious, but the payoff is well worth it.

What tools can I use when trying to locate these artifacts? In our training courses we use several.

All are listed in alphabetical order and should not be construed as order of preference.

AccessData FTK 3.2
Added to the HEX Interpreter window the user can sweep bytes and convert the associated HEX bytes to a date/time. The converted data can then be bookmarked and saved via copy.

Cellebrite Physical Analyzer
Used in our 303 course where the student can sweep bytes and convert the associated HEX bytes to date/time. User can search for date formats on files not automatically parsed.

MFI HEX Assistant
Free App (can I use App?) I put together that allows the user to sweep bytes in evidence, paste in assistant, and convert to proper date/time. Similar to Decode that is used for computer forensic date/time conversion.

RevEnge
Used in our 202 course and from Sanderson Forensics. The student can import any file into the interface and sweep bytes and convert the associated HEX bytes to date/time. User can search for date formats within the files being examined. Data can be bookmarked for each hit.

All are fantastic tools and can be used collectively or independently depending upon your situation.

All support the following dates/times: HEX/DEC 6 Byte, BREW/Qualcomm/GPS, LG/Samsung, OSX/DOS, UNIX

Of course the utilization of each tool is different, but the outcome is always consistent over all the listed applications. The tool is not the difficult part but the location and parsing of the data is, but the payoff is emense! Uncovering data manually from a phones’ fileystem can make a case that was solid, now ROCK SOLID.

So if you are at DoD Cybercrime this week, look me up at the AccessData booth and let me know what you think.

Lee Reiber

Posted in Training | Tagged , , , , , , , , , , , , | Leave a comment

“The Basics”

Posted on January 17, 2011 by Lee Reiber

The smartphone thorny issue has not reared its head yet and I believe it is due to the lack of competition in the mobile phone tool arena. Most examiners have been pretty content in obtaining the minimum, the basics as some vendors call it. These basics usually involve the contacts, call logs, SMS, media and calendar entries. Here is my take on this reasoning.

Back when we first starting extracting data from cell phones in our training classes in beautiful Carlsbad California we were using tools that had been really developed for moving data onto cellphones not pulling data off. Cellphone users did not want to deal with the painstaking entry of 11 of their best friends, but use a tool to do it for them over a cable. I laugh because now I see very few phones that do not have over 100 entries in their contacts lists. Maybe we just have more friends now… The point is, we used these commercial data transfer tools in our MFI Training courses and of course the manufactures of the tools started to see the numbers in our classes grow. Soon the cartoon $$ started to appear in their eyes. Coupled with the fact ninety percent of our attendees in the early days were law enforcement officers; those $$ were even more tasty to the tool vendors. So these manufactures started to create a “forensic” version of the software to ease the stigma of the commercial data transfer/sync suite. Truly the underlying code and hardware was in essence the exact same as the transfer suite, but the fact only the READ button was visible made the price jump 1200% for some products! Like was mentioned earlier, the transfer/sync tools were not developed for the data LE (law enforcement) might be looking for, but really only the data the commercial users had in mind; backing up their contacts, SMS, call logs and great pics. Unfortunately, this is where most tools still sit and most have remained. In the following paragraphs I want to ask and answer some questions that arise when talking about tool vendors.

Could this be because some of the vendors have no expertise with forensic examinations?

The majority of cellphone software manufactures have never had to complete a forensic examination on digital evidence and simply just rely on feedback from their users on how it is done. This to me is like writing a cooking book without ever cooking, mixing, measuring or preparing a meal in your life and you just rely on people to tell you how it is done. There is no doubt that this has occurred, but I honestly would not like to try the receipes. You know why? The writer has no ownership in the project. Why should he/she write a great cooking book when they will never use it to prepare a meal! This is the same with a tool vendor that is managing the development project without ever processing a device to the scrutiny of a court system or peer review. Something will always be overlooked if you have no ownership in the project.

The vendors don’t see a large market share for forensic examinations whereas commercial data transfer is where the money is?

I can name only name a few companies in the cellphone forensic software business that do not have a commercial data sync software also being sold and developed alongside a forensic version. The vendors who only have forensic titles that immediatly come to mind are AccessData, Guidance Software and Paraben. Now, those that also sell software/hardware solutions for transfer/syncing user data onto the phone do not have a bad product; that is far from the truth. What I am indicating is that because they sell a commercial product most vendors make the most revenue in the commercial realm. By commercial I mean a tool the end user can update/alter data on the cellular device. And if the majority of revenue is made on a tool sold for data transfer/sync then the concentration would be on that product, that is just business. The second product, or forensic product, takes a back seat and gets the code via hand me down. Remember, the hand me down code will be from the sync side so the data extracted is typically limited to the items the user would want to backup or update/change on the device. This is another possible reason the forensic tool has limited support by the vendor.

Engineering of code for cellphone device data takes time to build from the ground up?

This goes hand in hand with the previous statement. Why reengineer software when your have already developed software that does it already. Sorta the “just add water” mentality. So the forensic examiner gets the same code base but in another package, look or user interface. Developing code and engineering every device is not only a daunting task but an expensive one as well. Using the rule of thumb that just in the United States alone two new cellphones come to market every two hours puts any software manufacture behind the curve right way. That is why I always begin my lectures explaining to attendees that there is no one cellphone software solution and most likely there never will be. Statistically it is an impossibility, due to the shear numbers of devices and their anomalies.

So what does all this vendor talk have to do with the smartphone dilemma? Why is it I can only get very limited data from these devices? I had once posed a question to a very prominent vendor in the industry after using their tool and only extracting contacts, calendar and media. I asked them if I could get support for the SMS and web history and was told, “that phone is no longer sold and is old.” The funny thing in my mind was that same phone was used by more “clients” than any other device in my area! Most of the individuals I deal with do not subscribe the the “new every two” plan. So what I did, and continue to do every exam, is to data mine for the artifacts not parsed by the tool, uncovering an unbelievable amount of data.

By taking an examiner’s role and not that of a cellphone user, the data you will uncover will open your eyes to what you missed in the many cases you simply relied on a tool that only extracted “the basics”.

Lee Reiber

Posted in Training | Tagged , , , , , , , , | 1 Comment

Carving the artifacts

Posted on January 11, 2011 by Lee Reiber

Recently, I spoke at length to a trainer of MFI that stirred up some great feelings when it comes to searching. And when I talk about feelings don’t get freaked out, but moreover they are the kind of emotions only found when discovering that piece of data that has never been documented. Few and far between does one run into an examiner that wants to look past the push button and into the hard stuff; artifacts that must be manually carved from the existent data. And when this occurs it is sorta like the feeling Yoda had in the swamp. (what a poor reference, but those who get it are as old as me)

To bring you up to speed I have been conversing with an examiner who is not only a MFI instructor but a MFI graduate. Here is the skinny:

Text messages had been sent using an iDEN device but deleted. He needed to not only recover the data, but to obtain additional meta data in the message if possible. Using Cellebrite UFED with the additional physical module an extraction was completed and subsequently a possible deleted text message was located. The problem he found was the ascii was displayed but the metadata he was looking for (dates and times) was not. Using techniques learned in our MFI courses he compare the known values located and carved with the Cellebrite Physical Analyzer with the area surrounding the target message. Several hexadecimal values were located and thrown into the MFI Hex Assistant; selecting iDEN format. BAM! (my word not his) the date was converted.

The examiner could have given up when the tool did not yield the results for him, but he of course he did not. Tenacious is a term I like to describe not only this examiner but a lot of the MFI graduates. They are truth seekers. They understand that there is not one tool that can get all the data, but they continue to look, carve and unfold the evidence, using sound methodologies and techniques.

This is not a bash on any tool as some may read into this. No current tool on the market could have located the date and time in that format. What it is though is a testimony to the hard work and dedication of examiners seeking to break the mold of a “tool jockey”.

What was the outcome of this hard work? Another serious felony was solved with cellular evidence.

Thanks for listening and keep up the great work. Data does not lie.

Lee Reiber

Posted in Training | Tagged , , , , , , , , , | 1 Comment

Request to Write

Posted on December 14, 2010 by Lee Reiber

I was requested to answer some questions on cellphone forensics in regards to processing, seizure and more about a month back. I thought I would put my responses “as they were” so to speak just in case they did not make it to print for some reason. I thought the questions are ones that everyone should be asking themselves. Better yet, answering honestly. Take a read and like always comments from anyone are appreciated except from a bot trying to get a hyperlink up.

1. What are steps once obtaining a cell phone to examine?

The most important items to consider when coming into possession of a cellular phone are seizure, isolation and documentation.

Seizure – You will have to ask yourself if you have the legal grounds to take the physical device and/or the digital data. If you do not have a legal right to examine the device or it’s contents then you are likely to have all the evidence suppressed no matter how hard you have worked.

Isolation – The single most important step you should take in the examination of a cellular phone is to isolate the device from the network. This is important because the cellular phone’s data can be changed, altered and deleted over the air (OTA). Not only is the carrier capable of doing this, but the user can use applications to remotely “wipe” the data from the device.

Documentation – The device must be photographed to show the state at seizure to include time settings, state of device and characteristics. A cellular phone’s date and time can change upon removing the battery during the examination phase, so a documentation of the state at seizure is very important.

2. How about cell phone jammers or faraday bags?

The utilization of a signal disrupter (cellphone jammer) is illegal in the United States and not a method we instruct in our courses. We do discuss the option of a signal disrupter and steps an examiner must take to insure that it is done safely as not to interfere with outside cellular communication to wit: emergency traffic. Faraday bags are a good option for the transportation of cellular devices, but not a good option for the examination of a device simply because the introduction of a cable to the device and then to the examination computer will render the bag useless. We recommend using a metallic mesh to wrap the device securely and then placing the phone into standby mode or airplane mode from transportation, photographing and then placing the phone in a state to be examined.

3. Multiple investigation tools for data verification?

In order to have a successful examination not only should you verify the tool extracted the data as it should, but you should verify that the tool did not alter data. This is something that we speak about in depth in our training courses. The verification of the process not the tool.
How can an examiner truly say the tool did not alter the data in the extraction process? This is done by validation of the tool using a baseline and then conducting the same extraction and comparing the results using the created “digital fingerprints” or hash values. This does not have to be conducted on every examination, but at least at version changes and upon first installing/using the software.
Too much emphasis has been taken to “if the tool extracted all the data”; instead of did the data get altered by the tool.
As for using multiple tools for an examination I believe this is a must. As tools in cellular forensics behave and extract different types of data we must find the tools that cover the majority of phones seen for your area.

4. Should we understand the investigation tools at an in-depth technical level?

Understanding a general process of the tools is very important, but a technical “code level” is not. The technical “code” level is left to the actual company offering support for the software. In the law enforcement world the examiner is not going to testify to the code that makes the software perform, but the actual developer or a representative of the vendor will.
What is extremely important for the examiner is to have a very in-depth knowledge of the forensic process. An understanding of the steps to take from isolation > seizure > extraction > documentation is of utmost importance. During the extraction phase the examiner with today’s phone types has to be capable to look into file systems to uncover data that is not recoverable with standard extraction tools. The simple point and click examination is not going to be enough by tomorrows standards. The button cowboy tools are going to come under further scrutiny.

5. Has there been an increase in cell phone evidence being used in criminal cases?

Everyday in the US the media reports a case being solved by the examination of a text message, photograph, video etc. Because over 130 million people just in the US own cellular phones law enforcement examiners are looking to these devices as an evidence trove. So yes there are many outlets showing that cellphone evidence is today’s DNA.

6. Advice for a cell phone investigator taking the stand?

An examiner who must testify to their findings must realize that they can no longer testify to the fact they pushed the “get evidence” button and then believe that reasoning/explanation will suffice. The examiner must be ready to answer the question, “Where did the phone book come from?” And not answer, “From the phone.” Instead, be ready to give the location of the phone book’s contents as it relates to the phone’s file system and also how the user data was not altered during your examination. Unfortunately for most, this is a daunting task because it takes additional time and training. Two things the button pushing applications feed on. So until the day comes and case law is made due to an examination or lack of examination we wait…..

——————————–

Thank you for reading and please let me know what you think!

Lee Reiber

Posted in Training | Tagged , , , , , , , | Leave a comment

Are You Protected?

Posted on December 6, 2010 by Lee Reiber

Greetings fellow cellphone examiners, forensic specialists and anathema to some. We are going to have a few discussions while I am on my 18 hour air journey I suppose. I hope blogs and/or twitter is allowed at my destination, ugh I should have checked that…. At any rate let’s talk about cellphones.

During our courses, every conference and every speaking engagement I attend or am a part of someone always brings up “write protection” and how to achieve it with a cellphone. I have witnessed both trainers and vendors answer this inquiry and explain that it is possible to write protect a cellphone. When questioned further on the how to’s of this revelation I have heard, “it is built into our cables”,”a standard write blocking device works”, and also to “use a simple registry hack to make the USB ports read only.” The last, I heard, is still taught in some cellphone courses. My only question to these accusations is, have you actually tested these? Well, let’s dispel the rumors.

“It is built into our cable.”

I tested these cables manufactured by a very reputable euro company and found that 100% of the time I was not only able to write to the cellphone using tools like Motorola Phone Tools, P2K Commander and even Bitpim when switching off the “Block Writing to the Phone” checkbox, but I was able to remove and re-upload my own phonebook. First theory tested and shown to be FALSE.

“A standard write blocking device”

I tested this claim by using a Tableau USB physical hardware write block device and the same Motorola cellphone as used before. I plugged the USB device into the computer and then plugged the cellphone into the USB device. Shazam, the Tableau actually recognized the cellphone and displayed Motorola on the digital display. Could this really work? Using the same programs as previously mentioned I attempted to write to the cellphone. BAM, I successfully updated my contacts…..again. Wrote right through the USB write block and onto the phone. Second theory tested and shown to be FALSE.

“use a simple registry hack to make the USB ports read only”

I tested this last claim both by manually changing the registry key and also using the automated tool used by a few training companies. This registry hack changes the USB hubs to “read-only” on the windows machine. I inserted a USB flash drive and tried to write to it, only to be told it was unable to complete the task due to the write protection. Ok, sweet that worked, so let’s test the same Motorola that has been abused by the other theories. I plugged in the device and watched as the drivers began to install. Ok, so far so good. Now let’s try to put some new contacts onto the phone using the same tools as previously used in the other tests. KABOOM, again I am the proud owner of new(er) contacts on my Motorola cellphone. Third theory was tested and also shown to be FALSE.

Why is it that the USB port cannot be blocked you ask? Simply put. A phone is not seen as a mass storage device, but as a modem and/or serial port. All types of write blocking methods, both software and hardware, protect devices seen as mass storage devices. Some examples can be portable hard drives, flash drives, media cards, etc and a phone is not.

“But a phone can be seen as a mass storage device”, you scream.

Of course if the phone is capable of that mode, it can, AND when in that mode it CAN be write protected. The issue the examiner will run into will be that the only data the examiner will be extracting when a phone is seen as a mass storage device is from the media card or an area where the media files are stored. Now of course there are exceptions where the phone can store SMS,contacts etc onto the media card but very few are capable of that type of feature. For the most part, the examiner will be missing the user data if only the data from the media are is extracted. So this means the examiner would have to switch the device out of mass storage mode to utilize our standard cellphone tools. Out goes the write blocking tools.

So how then do software tools NOT write data onto the devices that I am examining? The short answer is that specific commands are used to extract data and specific commands are used to write data, and the typical cellphone tools used in our forensic examinations use a only read commands.

Maybe it is time examiners contact the software vendors/trainers and ask to see what answer they give; it might be fun. Hopefully they don’t say that their cables or software write protect the ports.

Thanks for reading, more soon

Lee

Posted in Training | Tagged , , , , , , , , , , | Leave a comment