Popular in Mobile Digital Forensics I
Popular in Information technology
This 5 page Class Notes was uploaded by James Cha on Friday February 6, 2015. The Class Notes belongs to TINFO444 at University of Washington taught by John Bair in Winter2015. Since its upload, it has received 82 views. For similar materials see Mobile Digital Forensics I in Information technology at University of Washington.
Reviews for TINFO444Week5Notes.pdf
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 02/06/15
T INFO 444 Mobile Digital Forensics I Week 5 Tuesday Feb 3rd and Thursday Feb 5th Troubleshooting in Digital Forensics Mobile examiners regardless of experience will say that the extraction process is never smooth Troubleshooting can present unique problems from one phone to the next In computer forensics the examiner is working with a copied validated image file and will not usually encounter problems that are out of the ordinary The extraction process can be problematic and situations that happen most often 0 Check forensic program and driver installation The forensics program is not installed completely or lacks required drivers or many of the older programs will only run on a Windows OS Internal settings on a device The phone has an internal setting that needs to be specifically quotsetup in order for the tool to communicate with the phone I Considered to be one of the most common problems Defective cable or data port Cables can wear out with use and phones may also have loose or damaged data ports The phone is partially charged Phones should be charged at least 50 before beginning the acquisition High port numbers assigned to the device Devices generally prefer to communicate on lower available ports Device environment is locked by the carrier Some locks such as Subsidy Lock Codes and Master Subsidy Locks are set by the manufacturer and can sometimes prevent a forensic tool from communicating with the target phone file system User enabled security A mobile forensic lab can have thousands of dollars worth of equipment and highly trained examiners personnel but if the user has an enabled security on the device it may very well limit access I Many newer phones encrypt files when the user has enabled a simply 4digit passcode I Considered to be the most commonly encountered problem Environmental factors or damaged devices Phones exposed to snow water fire or other destructive force can be irreplaceable Truck amp Trailer Analogy An analogy that may assist an examiner using the steps in a truck and trailer connection Example Scenario There are no lights on a boat trailer to respond 0 Apply it to problems that may be encountered when acquiring data in a Windows environment 0 First step The truck lights work properly and so do the turn signal and brake lights In terms of a Windows environment Windows too must be able to function properly with no other driver related issue present in the Device Manager You must first try and eliminate preexisting problems o In terms of the truck if the fuses are already burned out how can we get back to the wiring harness for the trailer Most people are not going to have yellow question or exclamation marks like in Windows to go back to default 0 Next step The truck batter and wire harness has been checked Using a test probe we check our 7way connector and get no power to any of the corresponding connectors mounted on the truck The connector brass screws are cleaned and rechecked 0 this time the test probe responds positive and the trailer also shows positive results on the lights 0 When encountering communication problems between Windows and the cell phone we must begin a process of elimination We can begin by looking at the program itself and ensuring it was properly installed with all the necessary drivers Questions to ask yourself I Does the USB respond to other devices I Is the port itself having problems I Is the data cable working correctly I Does the same cable work on another phone or other USB device I Is the phone itself blocking commands due to a setting 0 Truck amp Trailer analogy helps begin a process of getting each step of the problem eliminated and assist in troubleshooting Device Manager The Device Manager DM is the control panel within Microsoft Windows that allows users to view control and make various changes to hardware that is attached to the computer The DM can be accessed in a number of ways 0 The quotPauseBreak button on your keyboard can be pressed simultaneously 0 Accessing the Control Panel gt System and Security gt System 0 Right clicking on the Computer Icon and clicking the bottom properties tab Within the DM some phones can show up under the Modern and Ports Tab o If a phone shows as a modem the examiner can conduct diagnostic troubleshooting I Diagnostic troubleshooting allows the examiner to conduct communications at the Windows level with the cell phone 0 This would be the at the quottruckquot level in the Truck amp Trailer analogy Modem Tab indicates which COM port has been assigned by Windows for the device I Most of the tools and utilities that install in a Windows environment works best at LOWER COM port numbers I As the machine is gradually used over time these COM port numbers can get higher and higher even when previous devices have been unplugged Advanced Tab Allows ports to be manually reassigned and also allows you to see the entire number of COM ports as well as which ones are in use Diagnostics Tab Where a built in command that allows devices that are properly installed as modems to receive commands I Query Modem Allows the examiner to see if communication can be achieved between the Windows OS and the device that is plugged in o In doing this you can determine if there are problems that may exist just with Windows and not the actual program that you are using for forensic analysis Understanding Mobile Phone Protocols Examiners tasked with acquiring data from mobile phones must have an understanding of the communications that may take place Each phone manufacturer can have different protocols needed for this communication between the phone and forensic tool Protocol Filtering Taking steps by forensic software vendors to ensure that when these communications do take place no data is altered in the process related to the actual container 0 Once done the file system could result in changes but the actual area or evidential container ie call history would not be changed at all There are several forms of protocols OOOOO Synchronization Markup Language SyncML Infrared Data Association erA Object Exchange Protocol OBEX Android Open Accessory AOA Media Transfer Protocol MTP Etc Handset Communication Types are very important information for an examiner as it will determine which steps to take in the forensic process For example assume that a simple Samsung payasyougo phone will have a SIM card In America this device would only be an ATampT or TMobile serviced device so the examiner would know that he should power the phone off or on before he begins the examination GSM amp CDMA Several years ago identifying a GSM handset was as easy as locating the SIM card At that time the only thing you needed to do was look to see if the phone had a SIM card slot 0 If it did you knew you were working with a GSM network World Phones primarily CDMA technology but still had a GSM card for networks outside of America 0 Today with 4G and higher speeds smart phone devices will contain the mini or micro SIM card but still use CDMA technology Visual Identification The collection of the mobile device will require some baseline understanding and someone who is new to this process can quickly become overwhelmed by the vast array of phones on the market To ease this process there are some simple things you can consider 0 Look for the Carrier Name Many devices will have a logo for the carrier network imprinted on a visible area of the phone 0 ATampT and TMobile If the device you are looking at has markings from either ATampT or TMobile you can assume you will either have a SIM card inside or an empty slot where the SIM once was I ATampT and TMobile are carriers that ALWAYS use a SIM card 0 Sprint and Verizon Depending on the model of the phone if you see Verizon or Sprint markings it may or may not contain a SIM card The 3 Form Factors Cell phones used to come in only 1 size they started out quite large and bulky became very small and are now going back to a large again 0 By quotlargequot it is referring to mainly the size of the screen Determining the form factor on phones that do not have the associated wireless carrier printed on them may be necessary in determining the model There are 3 main form factors and refer to the size phone style and general shape 0 Bar also referred to as Brick or quotCandybar Currently the most common type of cell phone worldwide I It is a flat phone that can have keys present or a touch screen only an example being the iPhone 0 Slider These types of phones will have a keyboard or other controls that slide to one side of the main screen I QWERY style keyboards are the most common and some even have limited mouse abilities and other features 0 Flip Also commonly referred to as the quotclamshellquot this phone will have a hinge that allows the sections to open which can be vertical or horizontal Common Cell Phone Operating Systems Many people believe that there are just a few systems that are available on cell phones but there are in fact many Android iOS Windows Phone Symbian Firefox OS Blackberry Sailfish Ubuntu Touch Tizen Palm Windows Mobile 0000000000 Removable Storage Outside of Apple devices the likelihood of encountering removable media is highly probable Initially in megabyte storage sizes but have grown to include devices that support 64 G35 and higher Often carried over from one phone to another There are various types of storage cards but the MicroSD card is the most commonly found