Popular in Mobile Device Forensics
Popular in Information technology
This 4 page Class Notes was uploaded by Marcos Pedro Ferreira Leal Silva on Thursday October 1, 2015. The Class Notes belongs to CIT 365 at Pace University taught by Darren Hayes in Fall 2015. Since its upload, it has received 28 views. For similar materials see Mobile Device Forensics in Information technology at Pace University.
Reviews for Class 05
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 10/01/15
Mobile Device Forensics Dr Darren Hayes Class 05 ANDROID DEVICES LECTURE Pick a team project The students were allowed to choose between 5 topics which are detailed in the pdf available in blackboard We were given few minutes to do some research about each topic and then choose a team Palestrant James lntro James is a recent graduated that works in mobile devices forensics field When he was a student one of his greatest projects was a inexpensive JTAG solution to extract data from mobiles Working for the Government he has all kinds of crimes around hind like homicides rapes child abuse etc Android vs iOS We would like to focus on comparing both systems good and bad aspects in the eye of forensics not just the final consumer eye iOS Android Closed system makes everything harder Open Code 08 to the investigator as Apple can change Major changes every new release that locations of the files encryption security are about one year measures without any communication Many different variations on each device Encrypt data when turned off and just LG Samsung HTC etc that could make decrypt it when password is provided harder to obtain the data Android Overview Android systems has many specific partitions as Boot Recovery User Data and System Files Some variations occur from one manufacturer other but those are the most basic ones To get access to the user data files and system files where usually is the sensitive data about investigation the investigator has some options 0 Brute Force Attack the password in the case which the device is password protected Usually a external tool is used as MFC Dongle This approach is extremely slow and could delete or encrypt the files after some wrong tentatives which is not the investigators desire o JTAG the device and copy all information of it but it is very slow requires that the phone is opened and requires specific tools 0 Boot modified version of the 08 with CWM ClockWork Mod or TWRP Team Win Recovery Project and configure full access to the files modifying some files as initprop in the root folder This is the easiest and fastest option butit needs to be treated with extremely care because some systems detect the alteration of the boot partition and erases every user data in that case This method is discussable and is overlooked by lawyers since that device is modified in the process as the boot partition needs to be rewritten The best argument used is that usually sensitive data is in the user and system partitions that are unaltered but it s up to each judgelawyerboss to decide how treat each case 0 Boot into download mode and copy files through ADB commands It s probably one of the safest and fastest ways to copy but just work with selected models Some operations can be easily done with ADB Android Device Bridge but it can only be used on a device if the USB Debugging mode is on in Developer Options By default the developer Options are hidden in androids and can be turned on fast tapping seven times on the build info in Preferences gt About Some files can provide extremely important info about the phone as the apndb and apsdb One provide networks information as MAC SSlD and Timestamp and the other one provides Cellular Antenna Information The most interesting part is that both are always updated even without connecting to those networks which can be extremely useful Imagine hypothetically that John Smith murder John Doe in Doe s house and then return to his own house Supposing Mr Smith had his Android phone when he visited Mr Doe s house the MAC SSlD and Timestamp would be recorded in his database even if he didn t connect to Mr Doe s network This is a great way to prove presence or trace a path httpwwwwigglecom is a great source of MAC and SSlD addresses As stated before brute force attack could allow access to the files in the device but it would take probably a long time Android phones are somehow weak in their security once you have access to the files Anyone that obtained access could get the gesturekey file that is simply a hash but it could easily be consulted in a password hash database to get the full password One of the great challenges nowadays is data encrypted in mobiles Once the data is encrypted is a hard and time consuming task to recover the data To help this some techniques as M m is used where the temperature slows down the encryption process and gives more time to the investigator to catch some data iOS Overview The security of iDevices is really good the decryption of data is done once the phone is rebooted and the password is inserted correctly If we had a phone with dead battery that s encrypted much effort is necessary to access the data The encryption is simple there is a function F that takes the PIN number which is the password plus the UID number that is a unique serial number printed on the chip inside the iDevice and executes FPN UID to encrypt all the data As we don t have access to the PIN number we use many techniques to get the UID number and then calculate the encryption function with all available PIN numbers which was about 104 but now is about 106 When Steve Jobs closes a door he opens a Window Even though is pretty hard to get data stored into a encrypted iDevice most of them uses cloud services that could be easily approached in other ways with legal requisitions taking the hard part away from the forensic investigator and making this specific part bureaucratic