Data back-up using manufacturer’s software

If you use software such as Blackberry Desktop Software and iTunes to create back-up files, always test new versions to verify the settings. Recently, newer versions have had changes to the default settings. You do not want to find your contacts and bookmarks on the suspect’s Blackberry after it automatically synced with your computer on connection.

The current version of Blackberry Desktop Software is Ver. 6.  There are some major changes with this release.  The GUI looks very similar to the previously released Mac version.  With this, the menus and default settings have also changed.  You will need to connect a test device to change the settings and verify the results.  Once connected, a photo of the device model and the device particulars are displayed in the main panel of BDS.  A screen capture of this is helpful for the reporting process. 

The current version of iTunes is Ver. 9.2.  The settings must be changed prior to connecting the iPhone.  Edit/Preferences/Devices displays a checkbox for “Prevent iPods, iPhones and iPads from syncing automatically.  This box must be checked.  Once the device is connected ti iTunes, right click on the device name for a menu.  Select the back-up option. 

Ensure that the software does what YOU want it to do when YOU want it to do it. A fresh user account for each device is also suggested to prevent cross-contamination. Always verify your software.

Posted in Rant | Leave a comment

When is a picture more than just a picture?

An iPhone 3G was received for analysis. The owner had reportedly taken video of an assault and subsequently deleted the video. The device was user jailbroken and had the “Cycorder” app installed. This app uses the onboard still camera with 6-15 fps (images streamed into a video).
A logical analysis of the device recovered 3,648 live images but no videos located.
The physical analysis recovered 28,791 images but no video files. Visual inspection of the images revealed that a quantity were of a fight and were consistent with witness descriptions. Analysis of the identified images revealed the following:
Header: FF D8 FF D1 (yoya)
Foooter: FF D9
No EXIF information
Post Header: 6D 6A 70 67 (mjpg)

Sorting based on the above information identified 3,648 images. Using a jpg to avi complier and a frame rate of 10 fps, the 6 minute video of the fight was recovered and presented as court evidence.

The methods to obtain the physical DMG of an iPhone and the analysis of file headers/footers are covered in the MFI 202 and 303 classes. Seats are still available for the upcoming 202 class in Mississauga, Ontario, Canada class. See www.mobileforensicsinc.com for more details.

Posted in Training | Tagged , , , , | 1 Comment

Samsung Lock Location

In processing a Samsung SCH-U740 it was found to have a lock code enabled. Utilizing Bitpim’s File-system view I was able to obtain the file-system and hopefully the lock code in the normal areas of nvm_0002, nvm_security etc. In examining the nvm_security folder I found the security code but it was AAAA. Almost as if Samsung had hidden the security code.

A little more digging and I found a file located in the root (/) of the file-system called current_prefs.db. In this sqlite file at offset F15C I located the text “pref_device_lockcode” and right after the text was the four digit lockcode! The phone was unlocked and I was in. A little digging paid off. This is another example of why an examiner MUST always attempt to gain the file-system of the phone to do a systematic and scientific exam.

Posted in Training | Leave a comment

Dont Forget The Filesystem

Lets talk about phones!

Of course the first step should be ALWAYS to isolate the handset from the cellular network but most important step when EXAMING the cellular device. FILESYSTEM, FILESYSTEM, FILESYSTEM.

Did I say filesystem. The filesystem, if available, should always be the first extraction you as an examiner should attempt. Time and time again, I am contacted and asked to consult on a phone that a logical tool will not extract a portion of the user data. The first question I always have is, “Could you find the data in the filesystem?” 90 percent of the time I am answered, “I did not try that yet.” We know as examiners user data cannot always be parsed from the filesystem for a number of reasons. But the filesystem can be extracted far more efficiently and 90 percent of the time the userdata is easily located using FTK,Encase and XWays (and of course others) when searching manually.

The best part: YOU the examiner can testify to the actual file location of that particular user nugget!

MFI Logo

Another bonus of ALWAYS attempting to acquire the filesystem of a phone, particularly a CDMA phone, is the recovery of DELETED data. We have long searched over and over for tools to obtain a PHYSICAL acquisition of a CDMA device when deleted data has been under our noses. CDMA handsets store cached data and files that are not logically accessible to the handset (or many tools for that matter). They may have been marked as “non existent” by the phone, but they still reside in the filesystem. I have personally recovered over 800 SMS messages that were nowhere to be found when looking commando style via the handset, but were in the open when I backed the filesystem up and used FTK to parse the recovered data. Did I say OVER 800 damaging SMS messages! Other nuggets are HTML pages, URLs, email and more that are missed by skimping on the exam.

Don’t neglect the filesystem of the cellphone and go for just a logical extraction. If you do you could be missing over half of the data sitting on the phone.

There are many tools out there for extracting the filesystem from Cellebrite UFED to Bitpim, you choose, but don’t leave it out of your total forensic exam.

Good Luck!

Posted in Training | Tagged , , , , | 2 Comments

MFI Training Series vol 1 -Process

This blogging will be quite interesting and I think might help express the ideas and theories I always yell at students about in class (sorry students but passion is passion). I think I will start a series on process. Let’s go for the first bullet:

DONT FALL INTO THE TRAP

First and foremost let’s wrap your head around the fact that TOOLS used to extract data do a disservice to the community by using the term “forensic”. Using this term actually lolls a new examiner (or old) into thinking that there is some magic write blocking mechanism built into the cable (don’t laugh there are some sales people selling that quote) or software. Understanding that there is no way to write protect a phone seen by the OS as a serial port or modem is the first step to understanding a TOOL does not put the FORENSICS in your exam but your PROCESS will! Yes, your process during the extraction is ultimately what will be called into question.

HAVE A SOLID PROCESS

As a cellphone examiner you often have to use multiple tools during an exam. If you are not, then how are you conducting any validation? Ok, that is a blog in it’s self, moving on..Back to what to do if you have to use one tool or multiple tools during a single exam.

First, you should attempt to obtain a backup of the cellphone filesystem (logically and/or physically) or as many user files as possible. These files should then be hashed by a software capable of creating a known hash list. For example, AccessData’s FTK allows you to bring a cellphone filesystem into the application and you can easily create a Known File Filter based on the files on the filesystem.
After this known set of hashes are created you can go about continuing your exam using as many tools as needed to extract the maximum amount of data. The last thing you should do in the exam is to re-acquire the filesystem or conduct the same initial extraction you did that was taken into FTK and hashed. Once this extraction is completed you can bring the POST filesystem into FTK and run the known file filter against the new data to identify if any files changed during your examination and extraction. You will notice every time that some files change over and over. As you look closer you will recognize the files changing are SYSTEM files and not user files. You can now say with 100% certainty that no user data was altered during the examination. Can you do that in your current methodology?

Unfortunately, most rely on their software of choice just using the word forensic in the literature to coin their exams forensic. Don’t be one of them, use a forensic process!

Posted in Training | Tagged , , , , | 3 Comments

Some RegEx’in

Hey we have started the MFI 303 course where we cover grabbing some serious artifacts from the cellphone fileystems.  Do you know that the majority of cellular extraction tools only parse out about 40% of actual data.  What I mean by that is that they target the usual: phonebook, call logs, media and MMS.  What the heck happens to the the REST of the data like URLs, Internet History, Passwords/Usernames and LockCodes???  Well for the most part NO logical software around even touches it.  This is due to either the differences in the locations in the software/firmware on the devices or the lack of examination training the companies that develop the software might have. In either case the loser is really the examiner if they fail to take their time in an examination and only take what the tool give them.

We have been taking the lid off that mess and looking through the files carving the data using standard forensic tools like AccessData’s FTK.  We have been using RegEx (GREP) expressions to find even more data quickly.  For example, we have been using \x01\d\d\d\d\x01 to find lockcodes on LG, Sanyo, Samsung, and Audiovox handsets!  Give it a go.  Some others we have been using are locating internet artifacts, chat and also, carving 3GPP, AMR and other files!

More on this later!  Thanks for reading and I hope to get more of this on the page soon!

Posted in Rant | Tagged , , , | Leave a comment

Welcome

Welcome to the mobile forensics inc blog.  I think this may be a way for me to stay on top of any issues that I might run into.  Our Newsletter has been a bit backlogged just becuase of the crazy schedule we have all had here at MFI.  We have been so crazy busy that I have neglected getting anything out.  I hope this helps when I can throw stuff up on the site just whenever.  I also want som comments so we can get this thing rolling.

Thanks,

Lee

Posted in Rant | Leave a comment