Advanced Techniques in Forensic Examination of Smartphones

Advanced Techniques in

Forensic Examination of Smartphones

2012(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Worldwide smartphone sales

36,3%

15,4%16,6%

25,3%

2,7%81M devices sold in 3Q 2010

Symbian

RIM

iPhone

Android

Windows Mobile

Source: Gartner (November 2011)

Smartphone market increased by 42% during just 1 year!

16,9%

11,0%

16,9%

52,5%

1,5%115M devices sold in 3Q 2011

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Top smartphone vendors - 2011

23,9%

17,8%

4,8%3,9%2,9%2,7%

44,3%

440.5M devices sold in 3Q 2011

Nokia

Samsung

LG

Apple

RIM

HTC

Others

Source: Gartner (November 2011)


Smartphones

What information is stored on a modern smartphone?(C) Oxygen Software, 2000-2012

http://www.oxygen-forensic.com

Cell phone

Address book

Planner & Organizer

Messenger

Photo & Video camera

GPS navigator

Web & IM client

Platform for 3rd party apps


Smartphone is a small PC


Smartphone as: Cell phone• IMEI/ESN/Serial number• Hardware & Software revision• Network information

Basic Information

• Incoming, outgoing, missed calls history

• Sent & received messages history• GPRS & Wi-Fi sessions log

Event log

• IMSI• Phone numbers*• SMS messages*

SIM card

* - Usually these features are not utilized by smartphones


Smartphone as: Address book• First, middle, last name, nickname, joint name, company, department, job title

• Photo and personal ringing tone• Phone numbers: general, mobile, fax, video,

pager, VoIP, push-to-talk• Postal addresses, Web pages and e-mails• Different contact sources (Android)• Number of calls (Android)• Text notes• Private info: birthday, spouse, children• Custom field labels (Symbian, iPhone OS)• Multiple fields of the same type• Creation and last modification times

(Symbian, iPhone OS)

Contacts information

• List of caller groups & belonging contactsCaller groups

• List of assigned speed dialsSpeed dials


Smartphone as: Planner• Meetings, reminders and

anniversaries• Start date & time• Finish date & time• Alarm date & time• Recurrence• Last modification date & time

Calendar events

• Task description• Deadline• Priority• Alarm date & time• Completion date & time

Tasks

• Note text & dateNotes


Smartphone as: Messenger

• Text messages (SMS)• Multimedia messages (MMS)• E-mail messages with attached files• BIO messages: vCard, vCal,

configuration and others• Beamed messages: files sent via

Bluetooth, IR or USB• Standard message folders• Custom message folders• Date & time• Service center timestamp for

incoming messages• Information about deleted SMS

messages (Symbian, iPhone OS)

Messaging system


Smartphone as: GPS navigator• Last fixed GPS coordinates• Search history• Routes history• Last displayed map• Saved maps• List of favorite places

GPS Navigator

• GPS coordinates in camera snapshots*

• Cell coordinates in camera snapshots*• Cell coordinates for camera

snapshots**• Cell coordinates for video records**• Cell coordinates for SMS messages**

Location tagger

* - Available in EXIF header for almost all models having GPS receiver** - Available in several Nokia smartphones and Sony Ericsson devices


Smartphone as: Web client• Web cache files• Bookmarks• Pages view history• Last opened URLs• Search history• Cookies

Web browser

• IP, Login (UID, e-mail) and password*• Contacts list• Chat history• Calls history

IM client

* - Available for some IM clients


• Camera snapshots• Video clips• Voice records• Sounds and Podcasts• Wi-Fi networks list• Paired Bluetooth devices list• Activated SIM cards list• VPN profiles

Operating System apps

• List of installed applications• Office documents• Application logs & data files

3rd party apps

Smartphone as: PC

Extraction What data extraction methods are

available for mobile devices?


There are 2 standard ways to get forensic information from smartphones: logical and physical analysis

(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

Standard extraction methods

• Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML

• Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter)

Logical analysis

• Data extracted using direct memory reading (hex dump)

• Smartphone (or its memory chip only) connected to special hardware

Physical analysis


Logical analysis for smartphones• General phone information• Contacts (simple), calls*, SMS, settings*AT+

• General phone informationNokia FBUS

• General phone information• Files*OBEX

• General phone information• Contacts, calendar, notes, settings*,

bookmarks, messages*SyncML

1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization

General phone informationContacts*Calendar

NotesCalls historyMessages*

Files*Settings*

Bookmarks

* - Available data set is restricted and depends highly on manufacturer implementation

Caller groupsCustom field labels

Speed dialsMessages from custom folders

Event logDeleted messages

informationService center

timestampsGPS informationLocation tagged

dataWeb browser data

IM client data3rd party apps


Physical analysis for smartphones

What to do with gigabytes

of that?


Standard extraction methods: SummaryPhysical analysis

All information can be extracted

Hard to perform

Very hard to analyze

Expensive software, special hardware needed

In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS


How to extract data without a headache?

Physical analysis

All information can be extracted

Hard to perform

Very hard to analyze

Expensive software, special hardware needed* - Agent can extract all the information available for native OS applications


Agent application usage General phone information & SIM card data Contacts with all fields and custom field

labels Caller groups & Speed dials Event Log Calendar events Tasks & Notes Messages from standard and custom folders Deleted messages information Service center timestamp Camera snapshots, video clips and voice

records File system GPS & Location tagged information Web browser cache & bookmarks IM clients data 3rd party applications with their information

- Protected operating system

files- Memory dump


Afraid of writing to device?Comparison of phone content changes when performing

analysis using different approaches

SyncML protocol usage

Setting up sync parameters

Installing extra sync add-ons*

Running SyncML server

SyncML server generates synchronization log files

Agent application usage

Loading Agent to device

Installing Agent

Running Agent

Uninstalling Agent**

* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files

Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.


SummarySmartphones are a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.

Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.

Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.

Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and user-friendly format that is more like a logical analysis.

Documents

Advanced Techniques in Forensic Examination of Smartphones