🐉 neospace ~

📝 Latest Posts

Week 3 - Mobile Forensics

Jan 17, 20254 min read

Before Class

Week 3 DFEH Before Class

In-Class

Week 3 Slides >

 Acquisition Protocol

NOTE

In the context of mobile forensics, acquisition protocol refers to the standardized procedures and techniques used to acquire digital evidence from mobile devices in a forensically sound manner. The primary goal of acquisition protocol is to preserve the integrity and authenticity of the evidence while minimizing the risk of data alteration or contamination.

  • Wear gloves: Prevent fingerprint contamination.
  • Note open apps and clipboard contents: Record the device’s active state.
  • Use a Faraday bag: Prevent remote wiping or data alteration.
  • Document details: Record device information (name, IMEI, serial number, etc.) in the chain of custody form.

Android Devices

  • Modified Linux: Highlights Android’s base operating system.
  • Unique keys and permissions: Each device has unique user-defined security settings.
  • Extractable data: Lists various data types recoverable from Android devices (call logs, contacts, messages, apps, location data, passwords, Wi-Fi networks).
  • Rooting: Explains the process of rooting for increased control, highlighting both advantages (access to core files, removal of bloatware, enhanced battery performance, special app installation) and disadvantages (potential for bricking, security compromise, voiding warranty).

Methods for Screen Unlocking

  • Commercial screen lock bypass tools: These tools offer a high success rate with low data loss risk (examples provided).
  • Flashing custom recovery/ROM: A more advanced method popular among developers, involving replacing the device’s recovery system. This requires caution to prevent data loss or bricking. The slide emphasizes that write-blocking isn’t used in mobile forensics, unlike disk forensics.

Manual Information Extraction

Physical Acquisition

  1. Install Android SDK: Set up the necessary development kit (Android Software Development Kit).
  2. Enable USB debugging: Allow the device to communicate with the computer.
  3. Establish connection and acquire data: Connect and extract data using appropriate tools.
  4. Analyze the data: Process extracted data using forensic software.

Tools for image Extraction

  • BusyBox: A Swiss army knife of embedded Linux tools.
  • Ncat: A networking utility for data transfer.
  • dd: A command-line tool for creating disk images.
  • Kingoroot: An Android application for rooting.

JTAG Method of extracting information

This slide introduces the Joint Test Action Group (JTAG) method, an advanced data extraction technique involving direct communication with the device’s chip. The process involves identifying the Test Access Port (TAP), soldering wires, connecting a JTAG emulator, acquiring the image, and analyzing it with forensic software.

  • Advantages: Advanced, non-invasive, usable with many device types, less complex than Chip-Off.
  • Disadvantages: Low success rate with encryption, JTAG resources can be hard to find.

Chip-Off

Here are the steps involved in Chip-Off forensic examination:

  • The memory chip is removed via de-soldering it
  • The chip is cleaned and repaired (if necessary)
  • Memory chip is mounted on special hardware apparatus, and data is acquired.

Advantages:

  • Useful for examination of devices in damaged condition.
  • High probability of data acquisition if device is locked.
  • Gives forensics investigators the freedom to craft data acquisition process.

Disadvantages:

  • Heat and adhesive used to remove the memory chips may damage the circuit board.
  • Reassembly of the device after examination is very difficult and mostly unsuccessful.

IOS Operatig System

IOS Forensics

  • Passcode: Protects against unauthorized access.

  • Cryptographic protection: Some data is cryptographically protected.

  • Keychain: Secure storage for passwords and sensitive data.

  • Disk/Files: Encrypted data.

  • Logical: Uses external interfaces like iTunes backups, and the “backdoor” services such as file_relay and house_arrest.

  • Physical: Involves extracting a disk image and potentially brute-forcing the passcode, needing code execution on the device.

  • iCloud Backup: Can download backups (no encryption, but requires Apple ID and password).

  • NAND: An advanced technique potentially allowing recovery of deleted files.

IOS Security

Chain of trust:

  • BootROM (programmed at the factory; read-only)
  • iBoot (signature checked and loaded by BootROM)
  • Kernel (signature checked and loaded by iBoot)
  • Applications (verified and run by kernel)

Applications must be signed

  • 399/yr for an Enterprise one
  • Applications are sandboxed

JailBreak

Try at your own Risk ⚠️

Semi tethered jailbreaker : https://checkra.in/ (Jailbreaking ur device will remove ur warranty and remove the ability to install latest OS updates)

Tethered Jailbreak
  • Requires a connection to a computer to jailbreak the device.
  • Jailbreak does not persist across reboots.
  • May leave very few traces, especially with boot-level tethered jailbreaks.
Untethered Jailbreak
  • Modifies the device to jailbreak itself on each boot.
  • Jailbreak persists across reboots.
  • Leaves permanent traces.

iPhone backup extractor demonstration

Graph View

Backlinks