KEMBAR78
Digital forensics Computer and mobile forensic | PPT
Computer and Mobile Forensic
Lecture 12
1
Background
• Cyber activity has become a significant
portion of everyday life of general public.
• Thus, the scope of crime investigation has
also been broadened.
• As the society has become more and more
dependent on computer and computer
networks. The computers and networks may
become targets of crime activities, such as
burglar, destruction, intelligence, or even
cyber war.
2
Forensic Science
• The functions of the forensic scientist
▫ Analysis of physical evidence
▫ Provision of expert testimony
▫ Furnishes training in the proper recognition,
collection, and preservation of physical
evidence.
3
Computer (or Cyber) Forensics
• Definition:
▫ Preservation, identification, extraction,
documentation, and interpretation of computer media
for evidentiary and/or root cause analysis using well-
defined methodologies and procedures.
• Methodology:
▫ Acquire the evidence without altering or damaging the
original.
▫ Authenticate that the recovered evidence is the same
as the original seized.
▫ Analyze the data without modifying it.
4
Types of Computer Forensic
• Disk Forensics: It deals with extracting raw data from primary or
secondary storage of device by searching active, deleted or modified files
• Network Forensics: It is the sub-branch of computer forensic that
involve monitoring and analyzing the computer network traffic.
• Database Forensic: It deals with study and examination of database and
their related metadata.
• Malware Forensic: It deals with the identification of suspicious code and
studying viruses, worms etc.
• Email Forensics: It deals with emails and their recovery and analysis
including deleted emails, calendars and contacts.
• Memory Forensics: Deals with collecting data from system
memory(system register, cache ,ram) in raw form and then analyzing it for
further investigation.
• Mobile Phone Forensics: It mainly deals with examination and analysis
of phones and smart phones helps to retrieve contacts, call logs, incoming
and outgoing sms etc.… and data present in it.
5
Network Forensics
The study of network traffic to search for
truth in civil, criminal, and administrative
matters to protect users and resources from
exploitation, invasion of privacy, and any
other crime fostered by the continual
expansion of network connectivity.
6
114/02/28
Jau-Hwang Wang
Central Police University,
Taiwan
7
Category of Digital Evidence
• Hardware
• Software
▫ Data
▫ Programs
8
Digital Evidence
• Definition
▫ Digital data that can establish that a crime has been
committed or can provide a link between a crime and
its victim or a crime and its perpetrator
▫ Categories
 Text
 Audio
 Image
 Video
9
Where Evidence Resides
• Computer systems
▫ Logical file system
 File system
 Files, directories and folders, FAT, Clusters, Partitions, Sectors
 Random Access memory
 Physical storage media
▫ Slack space
 space allocated to file but not actually used due to internal
fragmentation.
▫ Unallocated space
10
Where Evidence Resides (continued)
• Computer networks.
▫ Application Layer
▫ Transportation Layer
▫ Network Layer
▫ Data Link Layer
11
Evidence on Application Layer
• Web pages, Online documents.
• E-Mail messages.
• News group archives.
• Archive files.
• Chat room archives.
• …
12
Challenges of Computer Forensics
(continued)
• How to collect the specific, probative, and
case-related information from very large
groups of files?
▫ Link analysis
▫ Visualization
• Enabling techniques for lead discovery from
very large groups of files:
▫ Text mining
▫ Data mining
▫ Intelligent information retrieval
13
Challenges of Computer Forensics
(continued)
• Computer forensics must also adapt quickly to
new products and innovations with valid and
reliable examination and analysis techniques.
14
Understanding Mobile Device
Forensics
• People store a wealth of information on cell phones
▫ People don’t think about securing their cell phones
• Items stored on cell phones:
▫ Incoming, outgoing, and missed calls
▫ Text and Short Message Service (SMS) messages
▫ E-mail
▫ Instant-messaging (IM) logs
▫ Web pages
▫ Pictures
Understanding Mobile Device
Forensics (continued)
• Items stored on cell phones: (continued)
▫ Personal calendars
▫ Address books
▫ Music files
▫ Voice recordings
• Investigating cell phones and mobile devices is
one of the most challenging tasks in digital
forensics
Inside Mobile Devices
• Mobile devices can range from simple phones to
small computers
▫ Also called smart phones
• Hardware components
▫ Microprocessor, ROM, RAM, a digital signal
processor, a radio module, a microphone and
speaker, hardware interfaces, and an LCD display
• Most basic phones have a proprietary OS
▫ Although smart phones use stripped-down
versions of PC operating systems
Inside Mobile Devices (continued)
• Phones store system data in electronically
erasable programmable read-only
memory (EEPROM)
▫ Enables service providers to reprogram phones
without having to physically access memory chips
• OS is stored in ROM
▫ Nonvolatile memory
SIM Card
Inside Mobile Devices (continued)
• Subscriber identity module (SIM) cards
▫ Additional SIM card purposes:
 Identifies the subscriber to the network
 Stores personal information
 Stores address books and messages
 Stores service-related information
Understanding Acquisition Procedures for Cell
Phones and Mobile Devices
• Check these areas in the forensics lab :
▫ Internal memory
▫ SIM card
▫ Removable or external memory cards
▫ System server
• Checking system servers requires a search
warrant or subpoena
• SIM card file system is a hierarchical structure
• MF: root of the system
• DF: directory files
• EF: elementary data
Understanding Acquisition Procedures for Cell
Phones and Mobile Devices
• Information that can be retrieved:
▫ Service-related data, such as identifiers for the
SIM card and the subscriber
▫ Call data, such as numbers dialed
▫ Message information
▫ Location information
• If power has been lost, PINs or other access
codes might be required to view files
Mobile Forensics Equipment
• Mobile forensics is a new science
• Biggest challenge is dealing with constantly
changing models of cell phones
• When you’re acquiring evidence, generally
you’re performing two tasks:
▫ Acting as though you’re a PC synchronizing with
the device (to download data)
▫ Reading the SIM card
• First step is to identify the mobile device
Mobile Forensics Equipment
(continued)
• Make sure you have installed the mobile device
software on your forensic workstation
• Attach the phone to its power supply and
connect the correct cables
• After you’ve connected the device
▫ Start the forensics program and begin
downloading the available information
Mobile Forensics Equipment
(continued)
• SIM card readers
▫ A combination hardware/software device used to
access the SIM card
▫ You need to be in a forensics lab equipped with
appropriate antistatic devices
▫ General procedure is as follows:
 Remove the back panel of the device
 Remove the battery
 Under the battery, remove the SIM card from holder
 Insert the SIM card into the card reader
Mobile Forensics Equipment
(continued)
• SIM card readers (continued)
▫ A variety of SIM card readers are on the market
 Some are forensically sound and some are not
▫ Documenting messages that haven’t been read yet
is critical
 Use a tool that takes pictures of each screen
iPhone Forensics
• MacLockPick II
▫ Uses backup files
▫ It can’t recover deleted files
• MDBackUp Extract
▫ Analyzes the iTunes mobile sync backup directory
Mobile Forensics Tools
• Paraben Software Device Seizure Toolbox
▫ Contains cables, SIM card readers, and more
• Data Pilot
▫ Similar to Paraben
• BitPim
▫ Can view data on many phones, but it's not
intended for forensics
• MOBILedit!
▫ Has a write-blocker
Mobile Forensics Tools
• SIMCon
▫ Reads files on SIM cards
▫ Recoveres deleted text messages
▫ Archives files with MD5 and SHA-1 hashes
• Software tools differ in the items they display
and the level of detail
Mobile Forensics Equipment
(continued)

Digital forensics Computer and mobile forensic

  • 1.
    Computer and MobileForensic Lecture 12 1
  • 2.
    Background • Cyber activityhas become a significant portion of everyday life of general public. • Thus, the scope of crime investigation has also been broadened. • As the society has become more and more dependent on computer and computer networks. The computers and networks may become targets of crime activities, such as burglar, destruction, intelligence, or even cyber war. 2
  • 3.
    Forensic Science • Thefunctions of the forensic scientist ▫ Analysis of physical evidence ▫ Provision of expert testimony ▫ Furnishes training in the proper recognition, collection, and preservation of physical evidence. 3
  • 4.
    Computer (or Cyber)Forensics • Definition: ▫ Preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis using well- defined methodologies and procedures. • Methodology: ▫ Acquire the evidence without altering or damaging the original. ▫ Authenticate that the recovered evidence is the same as the original seized. ▫ Analyze the data without modifying it. 4
  • 5.
    Types of ComputerForensic • Disk Forensics: It deals with extracting raw data from primary or secondary storage of device by searching active, deleted or modified files • Network Forensics: It is the sub-branch of computer forensic that involve monitoring and analyzing the computer network traffic. • Database Forensic: It deals with study and examination of database and their related metadata. • Malware Forensic: It deals with the identification of suspicious code and studying viruses, worms etc. • Email Forensics: It deals with emails and their recovery and analysis including deleted emails, calendars and contacts. • Memory Forensics: Deals with collecting data from system memory(system register, cache ,ram) in raw form and then analyzing it for further investigation. • Mobile Phone Forensics: It mainly deals with examination and analysis of phones and smart phones helps to retrieve contacts, call logs, incoming and outgoing sms etc.… and data present in it. 5
  • 6.
    Network Forensics The studyof network traffic to search for truth in civil, criminal, and administrative matters to protect users and resources from exploitation, invasion of privacy, and any other crime fostered by the continual expansion of network connectivity. 6
  • 7.
  • 8.
    Category of DigitalEvidence • Hardware • Software ▫ Data ▫ Programs 8
  • 9.
    Digital Evidence • Definition ▫Digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator ▫ Categories  Text  Audio  Image  Video 9
  • 10.
    Where Evidence Resides •Computer systems ▫ Logical file system  File system  Files, directories and folders, FAT, Clusters, Partitions, Sectors  Random Access memory  Physical storage media ▫ Slack space  space allocated to file but not actually used due to internal fragmentation. ▫ Unallocated space 10
  • 11.
    Where Evidence Resides(continued) • Computer networks. ▫ Application Layer ▫ Transportation Layer ▫ Network Layer ▫ Data Link Layer 11
  • 12.
    Evidence on ApplicationLayer • Web pages, Online documents. • E-Mail messages. • News group archives. • Archive files. • Chat room archives. • … 12
  • 13.
    Challenges of ComputerForensics (continued) • How to collect the specific, probative, and case-related information from very large groups of files? ▫ Link analysis ▫ Visualization • Enabling techniques for lead discovery from very large groups of files: ▫ Text mining ▫ Data mining ▫ Intelligent information retrieval 13
  • 14.
    Challenges of ComputerForensics (continued) • Computer forensics must also adapt quickly to new products and innovations with valid and reliable examination and analysis techniques. 14
  • 15.
    Understanding Mobile Device Forensics •People store a wealth of information on cell phones ▫ People don’t think about securing their cell phones • Items stored on cell phones: ▫ Incoming, outgoing, and missed calls ▫ Text and Short Message Service (SMS) messages ▫ E-mail ▫ Instant-messaging (IM) logs ▫ Web pages ▫ Pictures
  • 16.
    Understanding Mobile Device Forensics(continued) • Items stored on cell phones: (continued) ▫ Personal calendars ▫ Address books ▫ Music files ▫ Voice recordings • Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics
  • 17.
    Inside Mobile Devices •Mobile devices can range from simple phones to small computers ▫ Also called smart phones • Hardware components ▫ Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display • Most basic phones have a proprietary OS ▫ Although smart phones use stripped-down versions of PC operating systems
  • 18.
    Inside Mobile Devices(continued) • Phones store system data in electronically erasable programmable read-only memory (EEPROM) ▫ Enables service providers to reprogram phones without having to physically access memory chips • OS is stored in ROM ▫ Nonvolatile memory
  • 19.
  • 20.
    Inside Mobile Devices(continued) • Subscriber identity module (SIM) cards ▫ Additional SIM card purposes:  Identifies the subscriber to the network  Stores personal information  Stores address books and messages  Stores service-related information
  • 21.
    Understanding Acquisition Proceduresfor Cell Phones and Mobile Devices • Check these areas in the forensics lab : ▫ Internal memory ▫ SIM card ▫ Removable or external memory cards ▫ System server • Checking system servers requires a search warrant or subpoena • SIM card file system is a hierarchical structure
  • 22.
    • MF: rootof the system • DF: directory files • EF: elementary data
  • 23.
    Understanding Acquisition Proceduresfor Cell Phones and Mobile Devices • Information that can be retrieved: ▫ Service-related data, such as identifiers for the SIM card and the subscriber ▫ Call data, such as numbers dialed ▫ Message information ▫ Location information • If power has been lost, PINs or other access codes might be required to view files
  • 24.
    Mobile Forensics Equipment •Mobile forensics is a new science • Biggest challenge is dealing with constantly changing models of cell phones • When you’re acquiring evidence, generally you’re performing two tasks: ▫ Acting as though you’re a PC synchronizing with the device (to download data) ▫ Reading the SIM card • First step is to identify the mobile device
  • 25.
    Mobile Forensics Equipment (continued) •Make sure you have installed the mobile device software on your forensic workstation • Attach the phone to its power supply and connect the correct cables • After you’ve connected the device ▫ Start the forensics program and begin downloading the available information
  • 26.
    Mobile Forensics Equipment (continued) •SIM card readers ▫ A combination hardware/software device used to access the SIM card ▫ You need to be in a forensics lab equipped with appropriate antistatic devices ▫ General procedure is as follows:  Remove the back panel of the device  Remove the battery  Under the battery, remove the SIM card from holder  Insert the SIM card into the card reader
  • 27.
    Mobile Forensics Equipment (continued) •SIM card readers (continued) ▫ A variety of SIM card readers are on the market  Some are forensically sound and some are not ▫ Documenting messages that haven’t been read yet is critical  Use a tool that takes pictures of each screen
  • 28.
    iPhone Forensics • MacLockPickII ▫ Uses backup files ▫ It can’t recover deleted files • MDBackUp Extract ▫ Analyzes the iTunes mobile sync backup directory
  • 29.
    Mobile Forensics Tools •Paraben Software Device Seizure Toolbox ▫ Contains cables, SIM card readers, and more • Data Pilot ▫ Similar to Paraben • BitPim ▫ Can view data on many phones, but it's not intended for forensics • MOBILedit! ▫ Has a write-blocker
  • 30.
    Mobile Forensics Tools •SIMCon ▫ Reads files on SIM cards ▫ Recoveres deleted text messages ▫ Archives files with MD5 and SHA-1 hashes • Software tools differ in the items they display and the level of detail
  • 33.