COM Envy

Have you ever used a piece of software to conduct an examination on a mobile phone to find out that even if it is listed as supported an error occurs while trying to extract the data? What could be the issue? There could be several causes and I will go through a couple that just might solve the problem for you. These are covered in depth during out MFI 101 training course.

Do you have multiple software solutions running?

The communication that occurs between a device and the computer demands that a COM port must be available to the software. If the phone is “attached” to one piece of software via this COM port and the second piece of software is also trying to open the port an error will occur indicating communication cannot occur. I have termed this anomaly “COM envy”. Since the port has been opened by one piece of software it will have this exclusive relationship until that software is closed, thus closing the port. So, one piece of software at a time.

Have you initiated and extracted data with one tool and then immediately typed to extract data with a second tool?

Cellphone tools switch phones into diagnostic mode in order to extract user data. If the tool does not properly release (most tools) the device then the phone remains in this state. If the examiner then immediately attempts to use another tool and the phone is still in diagnostic mode from the prior extraction a communication error occurs. To combat this the examiner can simply “power cycle” the phone. To “power cycle” a device you must remove and then reinsert the battery. Simply pressing the power button will not suffice. If you do have to power cycle the phone always take into consideration: Could the phone lock, if it did can I bypass the lock, did I photograph the screen, will the phone still be off the network when restarting. Now that is not a full listing of course, but I am sure the picture was painted. One tool running at a time.

Do I have the proper port selected?

Mobile devices seldom utilize one port when communicating using our forensic tools. The problem that arises is the fact that some software auto selects the port and sometimes it is the incorrect port. If the examiner has the ability to select the port one should utilize the “Serial/Cable Port”. Now there are exceptions to this. For example, the Motorola W385 has both a modem and serial port that are available for communication. Selecting the modem port will allow the user data to be extracted, not the serial port. Selecting the serial port first is generally the port for extraction with CDMA devices, but of course there are exceptions. If only a modem is available that is ok. The software will communicate on that port and place the phone Into diagnostic mode via the modem port.

Select the “Serial/Cable Port” in the COM portion of the tool first to minimize communication and extraction failures.

I hope a couple of these might help you with communication issue should they be encountered.

Lee Reiber

Posted in Training | Tagged , , , , , , , , , | Leave a comment

Yes I said it “Cellphone Forensics”

As promised to all the examiners out there I say, “cellphone (mobile) forensics”. This roll comes early since we are in a wonderful holding pattern while deciding to land (I love winter). I thought I would just do another promised blog.

I am going to do a little discussion on the idea on adding the word forensic to the examination of a mobile device. @&$@, some say. I want to give my opinion because when we discuss a mobile device extraction we have an understanding as to why, how and who can label this forensic. Let’s go to some far away place not in the distant future…….ok this really happened like a month ago…

I was teaching a very large event and thought I would sit in on an instructor that was was running an introductory class. The instructor conveyed to the group that the extraction of data from a cellular device was just that, “cellular data extraction” and not forensics. This instructor had “been around” and was a very knowledgeable forensic examiner in computer forensics so I thought it was worth an ask since heck, it was one of my classes.

The instructor explained to me that the simple extraction by the cellphone tool was just that, an extraction. To call it forensics was not right since in computer forensics creating an “image”, or bit by bit copy of the evidence, was forensics. A cellphone on the other hand is not capable of giving a bit by bit image they continued. Humm, let’s start first with some definitions.

fo·ren·sic [fuh-ren-sik]
-adjective
1. pertaining to, connected with, or used in courts of law or public discussion and debate.
2. adapted or suited to argumentation; rhetorical.
-noun
3. forensics, (used with a sing. or pl. v.) the art or study of argumentation and formal debate.
Origin: 1650–60; < L forēns(is) of, belonging to the forum, public (see forum, -ensis) + ic

Ok, as I look at that definition I cannot find “because it does not get a bit by bit image” anywhere in the definition. What I do see though is forensics is to deal with information to be used in court, public discussions and debates. So essentially when using the term computer forensics the term forensics is used as a noun but also when describing what occurred, many of us use forensics as an adjective saying I performed a forensic computer examination. In both instances we see the word argumentation. Now let’s not confuse that word with augmentation as I did with my small brain, but argumentation. Again, below is a definition.

ar·gu·men·ta·tion [ahr-gyuh-men-tey-shuh n]
-noun
1. the process of developing or presenting an argument; reasoning.
2. discussion; debate; disputation: The lengthy argumentation tired many listeners.
3. a discussion dealing with a controversial point.
4. the setting forth of reasons together with the conclusion drawn from them.
5. the premises and conclusion so set forth.
6. argument (def. 5).
Origin: 1400–50; late ME argumentacioun (< MF) < L argūmentātiōn- (s. of argūmentātiō). See argument, -ation

Now we are getting to the bottom of forensics, a process to or presenting an argument or the key word REASONING. So a forensic analysis, whether it be a computer, cellphone, goat or pig, must first have a point/direction/preposition/position. The forensics will then cover the process and reasoning to arrive at your conclusion.

Forensics has nothing to do with a tool that is utilized in an examination nor a piece of evidence being examined, but a process of presenting the evidence in a reasonable, accepted and repeatable fashion.

I do agree that many “examiners” in the cellphone community are on thin ice with examinations with no process, but I do and will continue to fight those that abhor using forensic when it comes to a proper cellular phone examination.

Please, your thoughts?

With much respect,

Lee

Posted in Rant | Tagged , , , , , , , , | 1 Comment

Cellular Forensics

Of course coming from the skies somewhere above the United States I am going to talk about the beginning of my quest in cellphone forensics and where we are today. And for those that cringe every time I say “forensics” in the same breath as cellphones I say, “cellphone forensics”. That little debate can happen next blog.

This roll really stems from conversation that was brought to light at a conference and in the many questions I get when speaking and also in training. Is this new?

Actually extracting data from a cellphone is not new, but the realization that data actually exists and can be captured is on the news more than ever today. Political figures, celebrities and sports figures have found out that having a cellphone and doing bad things is not a good choice (what’s up Farve). So the media captures it in vivid pictures, we eat it as consumers and law enforcement is demanded to recover the text message deleted two years ago on the suspects LG VX5200. Well, they did it on CSI so why can’t you? There lies the rub. What about yesteryear?

Once upon a time… As a police detective in a northwestern police department we would bring in our suspects into an interview during a late night call out. We would completely neglect the weird talking device they had in their possession. This of course was in the time of the sweet StarTac and Audiovox candy bar type phone (called candy bar of course because of the size and shape). What were we supposed to do with those? I seriously laugh and cry at the same time when I think about the cases that I might have closed if I had just looked at the device, even if commando style. Fast forward to the early 2000s when I pondered, “Hey, I have been to many computer forensic classes, are these crazy phones just digital storage devices”? The rest is history as they say, at least for me.

We began to not take these little devices for granted, but actually put them above a computer exam because of the intimate information they yielded. Heck, they ride around in the owner’s pants all day, how intimate is that? No, seriously the data held in a cellular phone is probably 200 times more probable to paint a valid picture of the owner than any other piece evidence found. We unfortunately are slaves to the digital age. A testimony to this is just picturing yourself stranded in an airport without your cellphone. Yes i have had a panic attack or two…truly frightening, we are slaves…… What this means to you as a reader is to become educated to the tools and training available to you, because these devices will be at the forefront of digital investigations there is no doubt. If you are pushing these tools and or training to “something to be dealt with later” because cellphone forensics is a “magical task” you are already behind the curve. These devices are not going anywhere. What is old to some is very new to others

What we as examiners need to now focus on will be the idea of a clean and forensic examination of the material/device and not focus on the “cool stuff” extracted by the software. I say that because the day is coming where an exam will not be judged by what was extracted but moreover by how it was extracted.

This brings me to the conclusion of my roll.. No matter the tool you use in your examination the time to understand the underlying principles is upon us. Back when we started we just worried about what data was recovered, today we must worry about how, where and why we extracted and recovered it.

Thanks for hanging with me and don’t forget to subscribe to this blog….

Lee

Posted in Rant | Tagged , , , , , , , , | 2 Comments

FTK 3.2 and cellphones

A little bit of a layoff on the blog due to some crazy class schedules, but hey I am here again at 30,000 feet so what the heck. Lets talk about AccessData’s FTK. 

I have been messing with AccessData’s new FTK 3.2 since it’s release and have you seen the cellphone supported features? I have been pretty impressed with items such as image mounting, ipd support, dates and times, and others.  Let me tell you about my tests and I hope to hear from many others who have tried it.

First off, I took a disk image created by both AccessData’s MPE+ new(beta) full image support of a 3GS iPhone and also a 3G iPhone disk image by iXAM from FTS. I then added to FTK 3.2 as evidence, selecting an image. Once the data was processed I then right clicked on the evidence and selected to mount them. HOLY smokes what just happened? I then went into MY Computer and there they were, like two new little devices but with a sweet exception; the mounted device showed the unallocated portion as well! So technically I could create a full AD1, E01 etc with imager at that point and would include the unallocated area as well. Hey imager, YES the new FTK imager 3 also allows you to mount them as devices! This is pretty sweet considering I used to have to have Mac Drive installed if I used FTS IXAMiner when it parsed the dmg and reported on the data. Truly a nice new offering in FTK.

Second item I looked at was the addition of bringing in ipd files as evidence. An ipd is a proprietary file created by the Blackberry Desktop Manager software (which of course is free). I selected an image file and pulled down to ipd file. Brought in the file and was amazed at what was now displayed.  The files and folders fully parsed and showing in a cool filesystem view. Now, as a ran through some of the folders like address, messages, SMS/MMS the traditional coolHTML made it look even better. I even figured out that I can add an extension when making the report and the cool HTML displays beautifully in my report. The coolest thing that FTK does so beautifully is email. I just opened up the email tab and whammo, all the email was sitting there in full FTK style, email done CHECK! Of course images and any other item I can custom carve was easily located and reported on. I quickly saw a folder “blackberry messenger” and immediately clicked to expose the database file, there was data but alas not parsed….YET. There were other folders that contained data rows but have yet to be parsed…I was told soon, but for a start FTK gets all the common areas. Nice!

Next, I looked to the new and improved HEX Interpreter. This feature from what I remembered doing computer exams really contained a limited selection and I was pleasantly surprised when cellphone dates and times showed up. So I tested with an LG that I had extracted the filesystem from and brought in as a compound file.  
I navigated to the nvm folder and then nvm/SMS to find an inbox.dat message.  Once I selected the file I switched over to the HEX tab to show the file in HEX. I then clicked the tab for the Hex Interpreter and held it down to dock it beside the Hex View of the file. I located the four bytes in the file indicative of delivery time and swept them and watched the Hex Interpreter display the date/time from the highlighted data. Sweet. I clicked on the interpreted data and copied. This converted data was easily added to the bookmark for this SMS message. So AccessData has added a quasi Decode but for cellphones in FTK 3.2. Cool feature let me tell you…OUTSTANDING.

I have also heard a few rumblings on adding the ability to run an entire binary file OR filesystem for any PDU and then decode as such, showing the converted text! Can’t wait! 

So, just a quick preview of the new offerings in FTK 3.2 with cellphones. I immediately recognize AccessData has made a great leap from just a company focused on computer forensics to now digital data including cellular phone data.

Let me know what you think if you try it.  Also, I am going to try and get a demo on the MFI YouTube spot. Keep checking……

Alright, landing to speak in Wisconsin…until next time..

Lee

Posted in Products | Tagged , , , , , , , , , , , | 4 Comments

They are doing what???

I frequently have prior students, blog readers, forum followers and Twitter twerps contact me screaming, “Hey someone is using your curriculum” or “they are passing off ideas as their own.” via twitter, blogs or in their own classes.

First off, thank you all for your concerns and comments. Second, there was a time that I took this incredibly hard focusing on what work I put into the research and documentation to have someone pass it off as their concept. I now just do not focus on the lack of insight of these individuals but more on the great way to pass on information by duplication. And when concepts are duplicated, what a great testament to your own work! Worrying about who said what, came up with the term “awesome”, or formulated the algorithm to the MSL of MetroPCS. The fact remains, it has been solved, conceptualized and put out for feeding. Let’s focus on the feeding and not sweat the egos of some to constipate the knowledge of us all.

Check out our 101, 202 and new 303 courses not to mention our online courses at Mobile Forensics Inc. I hope to hear from you all soon or better yet see you at a conference or training class.

Lee

Posted in Rant | Tagged , , , , , , | Leave a comment

Mobile Phone Examiner plus

Another one of these from in the air. Was there not a movie about this? Anyway…

We have been doing this for a while and have seen a few pieces of software come and a few go.

Take for example:
If you guys were witness to Neutrino and shortly there-after Mobile Phone Examiner (version 1) you know where I am coming from. These entries in the mobile phone arena did not even get a second look. They were tools that came from a computer forensics company and not too many people in the “know” looked at them with any amount of seriousness. Same goes with many others, some I may not mention due to the thin skin issues. There might be finally one of the big ones getting it right.

I first qualify this with a statement I always make in my training courses and hope my instructors preach the same: there is no one tool that will be your only tool in processing a mobile device, there are too many variables.

Because of the afore mentioned issue in cellphone processing, multiple tools must be used. If you ever run into a salesperson telling you one tool is all you need to process all cellphones I suggest you run. They are obviously not practitioners and buying software from a sales person without intimate knowledge of the processing of these devices most likely will sell you short. I have been able to look at AccessData’s MPE+ software prior to it’s release on September 14, 2010. Here is what I have seen so far and also what I have been told.

The MPE+ comes both in a mobile style called the MPE+ Mobile Field tablet and also the stand alone PC version. I am told the stand alone is for the office while the field version is for on scene work. Both are using the same underlying code with just a different User Graphical Interface. The mobile unit had larger buttons to allow the examiner to use the stylus or finger, but all the functionality is consistent with either choice.

The initial software release will support over 1200+ phones of either CDMA or GSM flavor. The best feature that will sooth the MFI student is the ability to take all the data, filesystems included, into FTK like a glove. This will allow for the easy processing of the artifacts missed or just overlooked by many software titles in the cellphone market. The subsequent release in the fourth quarter 2010 will bring around 900 more phones to the supported field to include full iPhone, iPad and iTouch full physical imaging. Also on the agenda will be the addition of Android and Windows Mobile, Blackberry and many other handsets. Comparing the first version of the Mobile Phone Examiner to the new plus version is night and day.

I been told a comparative list will be on the web soon. If I find it I will post it for everyone via an update.

If you are doing the HTCIA international conference in a week or so jump into the MFI basic class or jump to the AccessData booth for a demo.

Posted in Products | Tagged , , , , , , | Leave a comment

Mobile Forensics Inc 303 – Release Notes

Another airblog for you. This time coming from 40,000 feet!

Finally a new MFI on-site course! We ran this course in some private venues to seen how it went. To be honest we sorta feel like a band doing a little testing of the soon to be release album at the Roxy but hey Sterling VA is close right?
The outcome and comments of the curriculum have been outstanding so we are taking the course on the road starting October 19th in a new location for Mobile Forensics Inc, San Francisco California. The course will run for three full days.

If you have not heard about the course and want a little info on the content and difficulty level read on..

We of course have two other live courses, the MFI 101 and 202. The MFI 101 is our three day intro into automated tools course and our 202 is an advanced course dealing with topics to include: flash interpreting, carving,communication techniques, artifact hunting and interpretation to name a few.

The NEW MFI 303 course is sorta between the two in difficulty with the addition of two new flashers and interpretation of data across the port (which are the most difficult concepts) as well as using FTK to carve data not recovered by most logical cellphone software tools. This can include but is not limited to: Internet, MMS, and file metadata.

Our big sellers and most commented on in the test classes are the instruction in obtaining a full Disk Image from the Apple iPhone, parsing it for user data, then analyzing it in FTK and instruction on the Cellebrite Physical Analyzer software. Here is a little more detail on both.

APPLE DEVICE DISK IMAGES

During the course we will be utilizing both FTS iXAM as well as the soon to be released AccessData MPE+ to create a full disk image (DMG) of the Apple device or if you want just a disk image of the user partition.
What if the phone has a user lock (PIN)? Who cares when using these methods since we bypass them!
Continuing on, we then examine this extracted .dmg in FTS iXAMiner and AccessData’s FTK which can natively support .dmg files, mounting the HFSX(+) filesystem. We rip the user data from the image and then carve to our hearts content to look for deleted images, videos, text, email, voice messages and more.
We say bye bye to using the command line or running only in a MAC as was the norm before. Using the afore mentioned method was both unreliable and risky, leaving fragments and sometimes dealing with the possibility of corrupting the disk. Now any and all data, locked or not is at your fingertips with these new tools.

CELLEBRITE PHYSICAL ANALYZER

The Cellebrite Physical Pro is an add-on for the standard UFED that can add extracted data from many cellular phones that most tools cannot recover, physical memories from the phone’s flash. Using the UFED Physical Pro in the MFI 303 is briefly covered as part of the class since it is relatively easy to operate, but using the accompanying software, the UFED Physical Analyzer is covered a ton! We tear into the software and talk about every aspect from the parsed data that the software “recognizes” to doing some serious carving for data it might have missed. Because the UFED PA Software is designed for cellphones many formats like PDU, Unicode, ICCID and Numbers to name but a few are easily located even if it was not originally parsed by the UFED PA Software.
If you have a Physical Pro and Physical Analyzer software it is worth just coming for this day as we really get into some cool features not covered in any course.

Yes that is ALL that is in the class, I say with a smile. All MFI students know I pack about three weeks into a week class so there is no shortage of information in this three day class either.

I am really proud of this new offering from MFI and think the content is relevant, current and most of all really COOL. I really hope you can make it.

I am out for now! Back to the in-flight movie…..

Posted in Training | Tagged , , , , , , , , , , , , , , , | Leave a comment

File 0000000000000001.db? If that’s a file where would you look?

When processing an Apple device, check the files located in /private/var/mobile/Library WebKit/Databases.

The Databases.db file is a SQLite Database file that contains a listing of databases.  This file can include (https) Google Mail and Yahoo Mail.  The corresponding file name is listed for each database entry.
The individual files are located in /private/var/mobile/Library/WebKit/Databases https_mail.google.com_0/with filenames similar to 0000000000000001.db .  This SQLite database contains a full listing of the mail including messages and full information about each message (to / from / subject / attachments /status (draft/deleted/trash/unread etc.).

Information relating to Facebook and YouTube activities also can be found in these databases.

This can be a gold mine that is overlooked many investigators.

Posted in Rant | Tagged , , , , , , | 4 Comments

MFI Training Series vol 1 -Processing

Ok, so we left off talking about the examiners process and now are going to move onto the actual processing of the device it’s self. I will generically talk about some key points I like to cover in my courses.

First though, let me thank all those that responded both on the record, either in their own blog or post and those emails that I received asking questions, offering comments and suggestions. Truly, we are all in this together and that is the only way we can grow.

Moving on.

Location of Key Files

Do your tools actually tell you where the data resided on the device? Or do you just assume that the question will never arise if you are asked. If you are asked, will you simply respond, “from the phone sir”? Well, I would say a followup question would be for the examiner, “Ok, but where in the phone officer, like the shared folder or the cam folder?” Should this matter? Simply think of computer forensics and the location of images in relationship to the “temporary interne”t folder or the “my pictures” folder. There is a tremendous difference in computer forensics, so shouldn’t it be of importance in cellphone forensics? Of course there are always exceptions, but are you looking?

Location of Artifacts

What tools extract internet history? A few but for the most tools they only extract from smartphone type devices like the iPhone, Windows Mobile, Android OS, Palm and others. How about the vx8500 from Verizon? Can I connect to the Internet with this device? Can I run a chat application? Again, these artifacts are easily recovered in the filesystems of these devices with a simple filesystem extraction and then conducting a simple string search.

Overkill you might say? Not so, when I recover that URL showing access to a website the user checked for a stolen firearm they posted on craigslist, or the access to a victim’s webmail they stalked , or possibly a google map search for a burglary location. These are all real examples of data I personally have located when conducting a “standard” thorough cellphone examination.

These are only a few examples of cellphone artifacts.

Don’t forget dates and times that are severely lacking in the recovery by most tools. This is a huge reason we cover dates and time location recovery in the filesystem in our courses. That of course will be another blog.. Until then..

What do you think you might have missed?

Posted in Training | Tagged , , , , , , , , , | Leave a comment

HTCIA

Greetings all you followers of MFI Bloggingness ( if that is a word, if not I call it). This comes to from about 39,000 feet, my frequent abode and resting place for bloggingness.

I wanted to drop a line about the HTCIA International conference in Atlanta Georgia this year. MFI will be doing a “do not miss” class or two. Here is a little bit about the two classes.

The Basic Approach

The first class is going to be all about the newbie coming into cellphone forensics will some cool information on troubleshooting and then into some automated tools like the NEW AccessData MPE+, Susteen’s Secure View and Cellebrite’s UFED. Also, learn why tools don’t like to work with each other and how to fix that.

Get some quality time with the automated tools to make the decision for yourself! That is what MFI is all about, letting the student decide on the tools that they may use in their examinations. This course will lead up to the second course that will bring the examiner to “how can I bring in and locate more information than the standard logical tool?”

The Advanced Approach

Moving from simply extracting the data we move to what we should do with the data? Since most applications only give you a limited view with the logical data we will take it a bit farther with the introduction of data like date and times, web artifacts, MMS artifacts and many other pieces of data not seen on the standard extraction.
We will also be looking at data from devices like the iPhone and the types of data we can recover from these devices using a physical acquisition approach. There is a wealth of information in these devices that are untouched by the standard logical tools on the market today.

That is a quick rundown on the course. If you are heading to the HTCIA conference this year I hope to see you there!

Posted in Training | Tagged , , , , , | Leave a comment