Research Project 2: Forensic Challenge · Outline Introduction Method FAT Walker Xarver Investigation Conclusion Scenario I Suspected arms dealer I Recovered phone from canal (memory

Outline Introduction Method FAT Walker Xarver Investigation Conclusion

Research Project 2: Forensic Challenge

Axel Puppe & Joeri Blokhuis

June 30, 2010




Introduction

Method

FAT Walker

Xarver

Investigation

Conclusion




Digital Forensic Research Workshop (DFRWS)

I Founded in 2001, annual meeting

I Advancing digital forensic science

I Target crowd:

I University researchersI Computer forensic examinersI Analysts

I Since 2005 annual challenge




Scenario

I Suspected arms dealer

I Recovered phone fromcanal (memory dumps)

I Questions:I Evidence connecting

suspect to the sale ofarms

I Evidence of the receiptof payment

I Recovery of any otherleads: individuals,companies, or bankaccounts




What information can be expected in a mobile phone?

I Phone dataI Log

I Phone callsI Text messages

I CalendarI AppointmentsI RemindersI Birthdays

I Address book

I File dataI Multimedia files

I AudioI VideoI Photos

I Documents

I Internet dataI Browser

I HistoryI CacheI Bookmarks

I E-mailI SentI ReceivedI DraftsI DeletedI Account settings

I Instant messaging




I Standard forensic toolsI Developed forensic tools

I FAT WalkerI Xarver




Standard Forensic tools

I Unsuccessful: Autopsy/Sleuthkit, Encase, FTK, Paraben CellSeizure, pyflag

I Beneficial: Scalpel(carving), Standard Linuxcommands(strings, file, grep), Google goggles.

Figure: Picture taken and identified by Google goggles




FAT

I Extract Directory Table EntriesI On physical memory dumpsI Filenames/Extension, MAC times

(Modified/Access/Creation)

I Benefits for a forensic investigator:I Initial researchI Possible user behaviour on the phoneI Last created filesI Build an absolute path (depending on the parent and current

directory)




Screenshot

I Memory dump 1:I Only two distinct MAC times

I Memory dump 2:I Clear gap from 2008 to 2010I Top files created since 2010: JPG, BIN, DAT and XML.

I Not updated: Access and Modification timeI Decide possible focus!




XML

<?xml version="1.0" encoding="UTF-8" ?>

<Forensics>

<Unit>

<Name> The Netherlands Forensic Institute </Name>

<City> The Hague </City>

</Unit>

<Unit>

<Name> New Scotland Yard </Name>

<City> London </City>

</Unit>

</Forensics>




XML

I XML Usage:I Sim CardsI DatabasesI Open Office XMLI Mobile phone (Android) applicationsI And more. . .

I Xarver features:I Read raw dataI Build XML treeI Deal with damaged XMLI Gives offsets of original data




Screenshot




Combining the tools




Xarver results

I MMSI Subjects: Look at this, This?, Contact, . . .

I EmailI Subjects: Buy, Engine, Payment, . . .

I Email SettingsI Email addressI UsernameI PasswordI And more. . .

I Call log




Pictures




Conclusion

I Evidence connecting suspect to the sale of armsI Found emails + pictures

I Evidence of the receipt of paymentI Suspected email (subject: ‘payment’)

I Recovery of any other leads: individuals, companies, or bankaccounts

I Individuals yes, Companies/Bank account(s) nothing so far. . .




Questions

Questions?

