Computer Forensics for Prosecutors - Cryptome

National District Attorneys Association National Center for Prosecution of Child Abuse

Special Thanks To

Computer Forensics for Prosecutors

• Lt. Josh Moulin, Southern Oregon High Tech Crimes Task Force

January 17-18, 2012 ● Bismarck, North Dakota

• Lt. Joseph Rampolla, Park Ridge (NJ) Police Department

• Richard Kaplan, Computer Forensic Specialist,

Detective Micah Smith Linn County Sheriff’s Office

USDOJ CEOS

• For their willingness to collaborate and share ideas in the digital world

1

Objectives

2

Objectives

• Be able to identify sources of technical

• Understand commonly used computer

investigations

forensics terms, hardware and software

• Understand common terms related to

• Understand the importance of computer

computer hardware

forensics examinations, and how they are completed

• Understand how the Internet works and how IP addresses are assigned

• Be able to understand content of a computer

• Understand how data is written, stored and

forensics report

deleted from storage devices

3

4

Sources of Investigations

Computer Forensics Defined

• Walk-in complaints from citizens

• “Pertaining to the Law”

• CyberTips from The National Center for Missing and

• Coined in 1991 in the first training session held

Exploited Children - passed on from ICAC Task Force

by the IACIS in Portland

• Referrals from other Law Enforcement Agencies

• Described as the autopsy of a computer hard disk drive

• Child Protection System undercover operations

5

6

Examination and Documentation

Computer Forensics defined:

Digital Evidence can be: • The Fruits of the Crime • The Instrumentality • the Evidence

Collection, Preservation, Examination, Documentation, and Presentation

Your Electronic Crime Scene just changed...again!

…of computer related evidence. 7

8

What type of examination is needed?

Where is the Crime Scene?

• Tier 1 - On-scene preview of digital evidence

Cyberspace

• Seizure of evidence, documentation, interviews • Encryption, P2P evidence, wireless/storage, • RAM capture, Forensic Scan, zSearch

Perpetrator’s

Victim’s

System

System

• Tier 2 - Evidentiary Forensic Analysis

• Acquisition, analysis for indictment and plea agreements • Case-specific forensic analysis • Evidence to corroborate statements, CVIP submission

Electronic Crime Scene

9

What type of examination is needed?

10

Basics to Understand

• Tier 3 - Requests from DA/Defense

• Analysis to answer concerns and requests of DA • Analysis offered to Defense to exculpate their client • Opportunity to close door on defenses, move plea forward

•

• Common types of digital storage media • How data is stored

Tier 4 - Trial Prep Forensics and Analysis • Includes all seized digital evidence for case • Defeating known/plausible defenses, complete analysis report,

• Hashing, how it works, and why it is important

preparation of demonstrative evidence, meeting with DA, prep of expert witness questions/testimony

11

12

Identifying Digital Evidence

13

14

Computer Forensics defined:

Digital Evidence What does it look like?

Collection,

!

Preservation,

!

Examination,

!

Documentation, and

!

Presentation

! ! !

…of computer related evidence.

!

15

USB Drives Memory Cards External Hard Drives Computers Mobile Devices GPS Devices Cloud Storage RAM / CPU 16

Digital & Electronic Evidence: RAM / CPU

Digital & Electronic Evidence: RAM / CPU

17

18

19

20

Wireless Devices • Be prepared to investigate wireless devices • Understand how your own devices may interact wirelessly with suspect devices

• Wireless devices can contain evidence of crimes

• Evidence on wireless devices is generally volatile, and gone once power is lost

Evidence of Wireless Devices

Understanding Data 21

Data Sizes •

Bit (b) is a single zero or one

•

Byte (B) is eight bits in sequence together

•

Kilobytes (KB) is 1024 bytes, sometimes shown as 1000 bytes

•

Megabytes (MB) is 1,048,576 bytes, sometimes shown as a million bytes

•

Gigabytes (GB) is 1,073,741,824 bytes, sometimes shows as a billion bytes

•

Terabytes (TB) is 1,099,511,627,776 bytes, sometimes shown as a trillion bytes 23

22

How Data is Written

•

Data is written and read in 1’s and 0’s on the drive

•

The hard drive is equipped with platters which spin at generally 7200 or 10000 rpm

•

Mechanical arms move back and forth over the platters while they spin and write or retrieve data

•

The data is written as the mechanical arm changes the magnetic coating on the platter’s surface as either + or – (a 1 or 0) 24

Hard Drive Terminology •

Sectors and Clusters • A sector contains a fixed number of bytes –

Data$is$stored$on$the$surface$of$a$pla2er$in$sectors$and$ tracks.$$Tracks$are$concentric$circles$and$sectors$are$pie6 shaped$wedges$on$the$track:

typically 512 bytes. Sectors are grouped together to form clusters

• Performing a high-level format prepares the

hard drive for data by writing the file storage structure

25

26

Understanding Unallocated Space

How Digital Data is Stored

• Allocated Space: Physical space on the hard

• Data is written in binary code, or 1’s and 0’s

drive that has been assigned and is being used by the file system at a specific moment in time. This includes:

• These 1’s and 0’s are grouped together in block of 8 and called bytes

• Visible files

• For example a sequence of “1010011”

represents the letter “S”. The sequence ”1001111” is the letter “O”

• Hidden files • Slack space 27

28

Slack Space

Slack Space

•

File slack can be an excellent source of evidence

• If there was a program on the tape before you

•

Computers write data one sector at a time but must allocate a minimum number of sectors for each file. These sectors are allocated even if you don’t use them

•

recorded the new ½ hour show, you would see it at the end minus the first ½ hour. This is slack space. ------------------------ SLACK ------------------------

It’s like a video tape… If you say that a video tape can only have one show on it at a time, you would allocate a 2 hour video tape per show. Now if you record a ½ hour program, you still have 1½ hours of tape left

½ hour program

1½ hour of old program

29

30

Slack Space Recovery • Often if data resides in slack space it can be forensically recovered

• Evidence from slack space will normally not

have dates/times associated with it because that information may have been overwritten

• It is possible to get enough of a document or image to prosecute an individual

Partial File Recovery - Slack Space 31

32

Understanding Unallocated Space

How Files are Deleted • When a user deletes a file the computer does absolutely nothing with the file’s data itself

• Unallocated Space = Physical space on the hard

• Depending on the file system that the hard drive is

drive that has not been assigned by the file system at a specific moment in time and is considered available for use. This includes:

formatted to, some things are handled differently

• Regardless of the file system, the data still remains and the computer sees the space where that file resides as “available for use”

• Deleted files • Space that has not been assigned to a file

• Until something else is placed in its spot on the drive,

the file will remain and can be recovered with forensic methods

33

34

Methods Impacting Deleted Files • Running system utilities such as defrag can

rearrange data and overwrite unallocated space and slack space

• Using secure erase features such as Norton

secure erase or other third party applications that are designed to “shred” data

• Although this class is primarily about Windows computers, it should be noted that Mac computers have functionality built in to securely erase data

Hashing and Forensics 35

36

Terminology - Forensic Image

Hashing

• It is no longer recommended to call forensic

• Hashing is a very important tool for forensics

images a “mirrored image”

• Hashing is like a digital fingerprint for a file. It

• Mirroring would imply that the duplicate looks

is mathematically derived from the contents of the item being hashed

exactly like the original. Although the content is the same it looks nothing like the original

• The odds of two files with different content

• “Forensic Image” is the most appropriate and

sharing the same MD5 hash value is more than 1 in 340 undecillion (or 1 followed by 36 zeros)

recommended.

37

Hashing •

Hashing • There are several algorithms such as MD5 (Message

Hashing is used in forensics for many things:

•

Known File Filters

•

Narrow search scope

•

Exclude items to be searched

•

Find known images of child pornography

•

Compare files to determine if they have been altered

•

Ensure the integrity of a forensic image process

38

Digest 5), SHA1 (Secure Hash Algorithm), and others

• MD5 is a 128 bit 32 character algorithm and is the most commonly used hashing algorithm

• There are other hashing algorithms available for

encryption, however forensics primarily focuses on MD5 and SHA1

• Hashing is used in many other areas such as download confirmation and encryption

39

40

What Affects a Hash Value

Tier 1 - On-scene Preview

• Any change to the content of the file How to collect:

• One pixel in a picture • Add/remove one character in a document • Changing the filename or file extension will have no affect on the hash value

" On-Site

Preview

" On-Site

Acquisition

" RAM

• Sophisticated CP traders modify files to

Acquisition and Analysis

" Seizure

change hashes, and avoid detection

Items

of Computer and Associated

41

42

Tier 1 - On-scene Preview

WARNING!!!

On-Site Preview & Acquisition:

#Document all actions surrounding manipulation of system:

" Bootable

CDs

# ImageScan, Helix, Trinux, BartPE,

Seizure ! Live Preview - Findings, exported files, reports ! Live Acquisition ! Automated Acquisition and Field Search

ForwardDiscovery, Knoppix, WinEN, etc.

!

" USB/Other

# e-fense “Live Response”, Forensic Dossier,

Solo3, Logicube, Forensic Scan, FieldAgent, zSearch

" Acquisition

and Analysis

# MacLockPick # FTK Imager # EnCase Portable 43

44

MacLockPick

EnCase Portable

#USB Auto-performing system scan #Retrieves “state of machine” information !

#USB auto-performing data collection #Integrates with EnCase Forensics #Hash, search & copy #Image entire drive

Passwords, logs, registry entries, documents, pictures, etc.

#Forensically sound, X-platform #First-responder deployable

!

All attached drives

#$748.50 LE

#$399 for LE 45

46

Tier 1 - Collection and Preservation

zSearch #Free product by SA Eric Zimmerman

Random Access Memory Analysis:

FBI - Salt Lake City, UT ! Distribution - eric[at]feeble-industries.com !

" Data

is traditionally lost - no more! Computer’s recent activity

" Contains

# Images, documents, web pages, videos, etc # Passwords (BitLocker, KeyChain, Crypto)

Plug-in live triage via USB ! Virtualization, encryption, mass storage, P2P, Gigatribe, picture & video preview, password gathering, and MORE! !

" Large

amount of evidentiary data

# RAM sizes up to > 32GB of information " Captured

forensically, saved to image file for analysis (data carving)

#FREE!!! 47 47

48

Tier 1 - Defeating Passwords


If password protected:

How to Seize Digital Evidence:

On-scene analysis information ! RAM Analysis ! Social engineering ! Known backdoors ! Internet ! Computer or BIOS manufacturer ! Passwords extracted from removable media ! Brute force attacks ! Specialized Software ! Court Order / Immunity !

"If

needed, call for assistance legal authority "Document and Photograph #Area, screen, cables, etc "Determine

"If "If

“off” --> leave “off” “on” --> that changes things

49



If it is “on” then: "Is

Working around Encryption:

there encryption in use?

"“Known”

backdoors Analysis "Written notes "Corporate assistance "Legal process/demand "Co-defendant plea agreements

" Windows

Vista & 7 " Mac Leopard & Snow Leopard " Preview search using DOD-ICE CryptHunter "Are "Can

"RAM

there programs open?

" TrueCrypt,

BestCrypt, PGP

it be shutdown properly?

"Don’t

50

hesitate to call for help 51

52


Tier 1 - Collection and Preservation Computer and All Associated Items:

What to collect:

Monitor ! Keyboard ! Mouse ! Speakers ! Printer ! Scanner !

"Hard

Drive/Media Only #Not best for running systems #Fine for loose digital media

"Tower/Media

Only

#Best option "Computer

Web Camera ! Microphone ! External Drives ! Manuals ! Notes ! Other Media !

and All Peripherals* 53

54



Marking The Computer and Associated Items:

Transporting the System and Media:

Photographs are the BEST documentation ! Evidence Numbers ! Label all Connections to Re-Assemble in Court if Required ! Tape over Power, etc. if going to another agency…

Comfortable temperature ! Avoid car seats if possible (bouncy) – floorboards are more stable ! Avoid using police radio in transport vehicle if possible

!

!

55

56


Ponder this...

Storing the System and Media:

#Each case’s variables will dictate the path of the computer forensic examination

Clean, dry, secure area with reasonable temperature ! Avoid moving shelves ! Avoid areas with magnetic storage ! Avoid areas with police radio transmitters ! Consider Anti-static bags, boxes, temp and static controlled storage room !

#No two exams will be the same #No two reports will be the same 58 57

58

Ponder this...

Ponder this...

Forensic Examination:

Forensic Examination Equipment and Media:

$ Know Your Scope $ $ $

Search Warrant – Affidavit Type of Crime Being Investigated Articulate Authority

$ Secure, robust, dedicated $ Forensically Sterile Media $

$ Licensed Software $ Tested write-block devices

#Multi-Disciplinary Legal Auth. #

Wiped & Verified

Prosecutors should review/approve SW, Aff, Subpoenas, etc 59

60

Tier 2 - Examination and Documentation

Tier 2 - Evidentiary Forensic Analysis

Forensic Documentation:

Acquisition Authentication analysis

$ Status of Computer $

Operating system, users, ownership, media size, internet…

$ Seized/Searched for indictment and plea agreements Case-specific analysis and examination Evidence to corroborate statements CVIP submission

$ $

Item by Item Evidence? Contraband? 3rd Party?

#Methodology of examination 61

63

62

64 63

64

Tier 2 - Evidentiary Forensic Analysis Examine the BIOS settings: !

Date and Time settings "Compare

to known time – note

findings !

Boot Order (CD, HDD, Etc.) "Important

for Network other direct acquisitions

65 65

66

68 67

68



•Do NOT allow the hard drive to

$ Note digital media’s capacity and geometry and compare to later findings

•Can Change THOUSANDS of Files

$ Obtain data from digital media using forensic methods

Image Acquisition: enter the boot process

and attributes

$

•But - if it does happen, DOCUMENT IT.

$ $

Write Blockers Live / Network Acquisitions, Etc. Smeared images*

69

70

Tier 2 - Evidentiary Forensic Analysis Bit Image / Forensic Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $

Different Machine, Drive, Folder

$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required 72 71

72

File D


File D Bitstream copy

Bit Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases

File D

File D Standard (logical) copy

$

Page ____ of ____ 1. INCIDENT NUMBER

2. OTHER NUMBER

7. INCIDENT TYPE

Linn County Sheriff’s Office Narrative Report

DEATH INVESTIGATION 8. REPORTED DATE

10-13-07

Form H

Physical vs. Logical

07-17765

9. REPORTED TIME

1726

10. OCCURRED DATE

11. OCCURRED TIME

01-25-07 to 10-13-07

Unknown

12. FOLLOW-UP DATE

071311


$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required

13. FOLLOW-UP TIME

1120

data on the source drive. Once the drive was connected properly, I opened FTK Imager (Version 3.0.0.1443) 73 from the AccessData Corporation. Using FTK Imager, I hashed the contents of evidence item DB14 as a connected physical device connected to my computer forensics workstation, through the write-block device. The results of that hash process were presented to me on the screen at the completion of the process. I took a screen capture of the results, documented below as Figure 1.

Figure 1

Then, also using FTK Imager, I created an exact duplicate of the contents of DB14, called a forensic

Pre-Acquisition Hash

image file, which comprises a bit-for-bit copy of the contents of DB14. FTK Imager makes an exact duplicate, verified by matching hash value, of the suspect computer media and saves the forensic image file. Further analysis of the evidence is then conducted using the forensic image file created by FTK without modifying or 75 destroying the original computer media. At the completion of the acquisition process results are presented to the examiner on the screen. I took a screen capture of those results, which stated the acquisition process completed with a verified matching hash value, and no errors or bad sectors. This information is also written to an acquisition file accompanying the forensic image file. Refer to Figure 2 and the Acquisition Report below.

1. INCIDENT NUMBER

Page ____ of ____ 74

2. OTHER NUMBER

7. INCIDENT TYPE


10-13-07

9. REPORTED TIME

1726

Form H


07-17765

10. OCCURRED DATE

11. OCCURRED TIME

01-25-07 to 10-13-07

Unknown

12. FOLLOW-UP DATE

071311

Acquisition Hash & Verification Figure 2

Acquisition Report for DB14: Created By AccessData® FTK® Imager 3.0.0.1443 101008

13. FOLLOW-UP TIME

1120

76


07-17765 7. INCIDENT TYPE


9. REPORTED TIME

10-13-07

1726

10. OCCURRED DATE

11. OCCURRED TIME

01-25-07 to 10-13-07

12. FOLLOW-UP DATE

Unknown

13. FOLLOW-UP TIME

071311

1120

Tier 2 - Evidentiary Forensic Analysis Forensic Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $



Post-Acquisition Hash 77

Figure 3

78

The forensic image file for evidence item DB14, along with the other forensic image files related to this investigation, were all copied to the defense-provided external hard drive related to discovery for this case. I then returned the drive to Detective Beth Miller, for production to the defense council. This report may not be inclusive of all potential evidence contained on the computer media referenced in this report. Any additional forensic analysis conducted on the referenced computer media will be documented in future reports. ACTION RECOMMENDED: Investigation continuing. REPORTING DEPUTY / RADIO #

DPSST #

SHIFT

ASSIGNMENT

Detective Micah W. Smith / 770

42020

Detectives

177

SUPER APP DATE/INITIALS

DATA

LCSO Revised Date: 04/15/2009

79

80 79

80


Analogy # Slack Space: It’s like a video tape… If you say that a video tape can only have one show on it at a time, you would allocate a 2 hour video tape per show. Now if you record a ½ hour program, you still have 1½ hours of tape left

Bit Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $

------------------------ SLACK ------------------------

Different Machine, Drive, Folder ½ hour program


1½ hour of old program

82 81

82



Bit Image:

$ Forensic Write-block Devices

$ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $

$ $

Hardware vs. Software Verified (and Validated?)

$ Tableau $ FastBloc $ Voom Technologies $ Logicube


$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required 83

84

85

86 85

87

86

88 87

88

89

90 89

90

Tier 2 - Evidentiary Forensic Analysis Forensic Examination: $ Index, Hash, Categorize files present ! !

Hash Set analysis Known files comparison

$ Document Registry, LNK files. $

As appropriate for your case

91 91

92

HASH Sets

Traditional Hash Analysis

#Collections of File Identification Information HASHes used during forensic investigations: !

!

!

!

! ! !

# Hashes of “known” files compared against hashes of files on suspect media

National Software Reference Library " www.nsrl.nist.gov DHS-ICE HASH " Contact a Special Agent

!

!

HashKeeper " www.usdoj.gov/ndic/domex/hashkeeper.htm AccessData Known Files Filter " www.AccessData.com/downloads.html Beyond FairPlay Tools (Forensic Scan, Media Library, etc) Operation Round-Up hash sets Case-specific hash values (from other seized evidence or UC Ops)

Hash analysis is based on binary content of file, rather than visual examination Not effective against deleted files, Unallocated, slack space, unused disk area

This enables us to identify over 100 occurrences of target files without looking at one single file!

Image Courtesy: Simon Key, CEIC 2011 File Block Hash Map Analysis CEIC 2011 - V6 Screenshots.ppt.

93

File Block Hash Analysis

94

Partial File Recovery

#Simon Key ~ Guidance Software (EnCase) Block-based hash analysis works by calculating a hash value for each block of the target file that would be allocated a sector or cluster to store its data. ! A map of each block is generated, with the corresponding hash of each block. This is then fed to EnCase, and a search for the block-based hashes begins. ! **Must have full version of target file sought !

Image Courtesy: Simon Key, CEIC 2011 File Block Hash Map Analysis CEIC 2011 - V6 Screenshots.ppt.

95

96 96


Partial File Recovery We can rebuild partially recovered files (based on the hash map from good file) ! Render partial files as playable/viewable

Forensic Examination:

!

!

Document Registry Artifacts !

MRUs, WinRAR, Jump Lists

$ Document LNK files. $ $ $

New File System Features

Show path to other devices Folder structure Access

97

98

99

100

Jump Lists

Jump Lists - You can think of Jump Lists as miniature Start menus for program icons on the Taskbar. Each Jump List can contain tasks, links to recent and frequently used documents, and links to pinned documents.

LAW$ENFORCEMENT$SENSITIVE$INFORMATION$ DO$NOT$SHARE$THESE$MATERIALS ©2007 Microsoft Corporation

All Rights Reserved

101

102

Tier 2 - Evidentiary Forensic Analysis Forensic Examination: $ View Pictures, Movies, Docs $ $

View in Native Format View Forensically $ $

$

103

EXIF Data for Pictures Hidden Text, Updates/Changes

Notes, Properties, Etc.

104

105

106



EXIF/MetaData:

“Case Specific” Data : $ Instant Messages

$ Can be modified by programs $ Can be ‘cleaned’ or ‘stripped’ away during up/download $ Good corroborative evidence

$

View in Native Format $

$

View Forensically $ $

107

LE or Commercial Decryption Plain Text Not Saved – Search UC for SN

108

109

110 109

110

Tier 2 - Evidentiary Forensic Analysis “Case Specific” Data : $ File Sharing Programs (KaZaa, LimeWire, BearShare, Etc.) $


$

LE or Commercial Decoder

View Forensically $ $

Database or Spreadsheet Formats Additional Information in Slack Space

112 111

112

113 113

114

Examination and Documentation “Case Specific” Data : $ Embedded Data $


$

Email attachments, Word, PPT

View Forensically $

Encoding format, link to other files, notable differences to like files,

116 115

116

Tier 2 - Evidentiary Forensic Analysis “Case Specific” Data : $ E-Mail Messages $

View in Native Application $

$

Thunderbird, Outlook, Lotus Notes, Etc.

View Forensically EnCase, FTK, ILook, Paraben, Etc. Other Programs or Raw Data $ Interim Changes/Embedded Data $ $

117 117

119

118

120 119

120

Tier 3 - Requests from DA & Defense Acquisition Authentication Analysis Answer concerns & questions of DA Analysis of artifacts at request of Defense Exculpatory evidence specific search/analysis Investigate suggested defenses (from D)

121 121

122

Tier 4 - Trial Forensics Examination

Tier 4 - Trial Forensics Examination Forensic Examination:

Acquisition Authentication Analysis

$ Run Searches &/or Scripts $ $

Includes all seized digital evidence for case Defeating known/plausible defenses complete analysis report preparation of demonstrative evidence meeting with DA prep of expert witness questions/testimony

$ $ $ $

123

Document search keywords & why Careful of script pitfalls Test/Authenticate Search String Headers – Not Extensions Case Names (Victim, Suspect, Etc.) Case Terminology (R@ygold…) 124

125 125

127

126

128 127

128

Tier 4 - Trial Forensics Examination Forensic Examination: $ Examine Erased/Recent Files $ $

Sort by status “Deleted” Sort by Dates/Times $ $

$

Most Recent Close Proximity to Crime, Etc.

Info/Recycle Bin

129 129

130

Tier 4 - Trial Forensics Examination Forensic Examination: $ Examine for Cloud/Network Storage $

File sync software " File

$ $ $

versions & comparisons

Online backup solutions Push services to mobile/cloud Stored shared user list

131 131

132

133

134 133

134

Tier 4 - Trial Forensics Examination Forensic Examination: $ Examine Internet History

$

Registry for TypedURLs Saved forms, pwds, cookies Visited sites, first and last visit, count, info up/downloaded Comb through HTML files

$

EnCase, FTK, Net Analysis, etc

$ $ $

135 135

136

138 137

138

Tier 4 - Trial Forensics Examination Forensic Examination: $ Check for Virus, Trojans, Etc. $ $

Emulated Disk for Scan Scripts for Virus Signatures

$ If Found – Obtain More Info… $ $ $ $

Virus Company Web Sites, Etc. Research Capabilities, Etc. Log files from computer Statements of suspect RE: viruses

139 139

140

141

142 141

142

Mobile Devices

Mobile Devices

Gathering Data from Device: $ $ $ $ $

Seizure Documentation:

Hand-Jamming Examination & Analysis Extraction & Analysis Cloning, Examination & Analysis Flasher Box Extraction & Analysis

$ Location were device found $ $ $ $

Condition when located (on/off) Chain of Custody Physical issues/description Photograph and document manipulation

Some information in following slides taken from Purdue University’s Purdue Phone Phorensics (P3) project at www.MobileForensicsWorld.com/p3

143

144

Mobile Devices Device Shielding/Isolation: $ Jamming/Spoofing signal $

Vio of Comm. Act 1934 (FCC)

$ Radio sheilding bag/container $ Airplane Mode $ Turning off device $ Network Service Provider (NSP) $

Court Orders & Assistance 146 145

146

Mobile Devices Document w/o Modifying: $ $ $ $ $ $ $ $

147

Make, Model, Model # Vendor Logo Style (Flip/Slider/Clam Shell/Form Factor) External Memory Present (Type, Capacity) Digital Camera (Forward/Rear Facing) Compliance Label (ESN/MEID or IMEI & SIM) Battery present/not present Damage - Condition

148

Mobile Devices

Mobile Devices

Examination & Analysis: $

$

$

Gathering Data:

Subscriber Identity Module $ Possibly clone SIM for analysis External Memory Cards $ Same as Digital Media (Forensics) $ Data carve deleted data Examination, extraction and analysis of data on physical handset

$

Ideally through: $ Cable connected - most secure $ InfraRed (IrDA) - less secure $ BlueTooth (BT) - least secure $

All may result in changed data or state of phone from original seizure

149

150

Mobile Devices

Mobile Devices

Gathering Data: $

Integrated Tools $

$

$

UFED, Secure View, Device Seizure, BitPim, MOBILedit!,etc

SIM Tools $

$

Evidence Analysis:

SIMCon, SIMSeizure, SIMDetective, etc

Hex Dump Tools $

Cell Phone Analyzer, HeXRY, etc

$

Screen Capture Tools

$

Manufacturer Specific Tools

$

Digital Camera (Duh!), Fernico ZRT, Project-a-Phone, etc

151

Through Automated Tools or Raw Analysis: $ Text (Short Msg Service) $ MMS (Multimedia Msg Service) $ Contacts / Address Book $ Call Logs $ Web History $ Email $ App Data

152

Mobile Devices

Forensic Principle

Considerations: $

$

$

Always Show Unbiased Methodology and emphasize the evidence that relates to the current charges – incriminating or exculpatory

Can we “forensically” analyze a phone or other mobile device? $ Can’t separate storage from device $ Often, access only provided areas of phone Do we need to perform “forensics” on mobile devices? $ If we document our actions, is that sufficient? **Most evolving area of forensics

153

Forensic Principle

154

Instructor Information Detective Micah Smith

Consider Possible Defenses and attempt to prove or disprove them with your evidence

Linn County Sheriff’s Office Computer Crimes and Computer Forensics Voice: 541-812-9200 Email: [email protected]

155

156