Mobile Device Forensics An Overview Bill Teel Teel Technologies 16 Knight St., Norwalk, CT 06851 : (203) 8555387 bill.teel@teeltech.com : www.TeelTech.com Mobile Device Forensics Overview Cell Phone Forensics Overview        Introductions Today’s Standards and History Of Mobile Device Forensics Mobile Forensics is Not Computer Forensics Practices and Trends in the Field Additional Practices Related To Device Analysis Where We’re Headed Recomendations Mobile Device Forensics Overview Brief Introduction: • Bill Teel • Working in Mobile Forensics since 2003 • Teel Technologies Established in 2006 • Focus on Mobile Forensic Tools Largest Selection in One Place • Products Include: XRY, Athena, Device Seizure, SecureView, Oxygen, Encase, Etc • Publisher of MobileForensicsCentral.com - Free Search Engine for Mobile Forensics • Registered Small Business Mobile Device Forensics Overview Today’s Cellular Standards: CDMA, GSM, iDEN, (TDMA, AMPS almost gone) CDMA Worldwide: +500 Million Subscribers CDMA is largely in U.S., Asia Pacific (155 Mil), Latin America (71.5 Mil) source: cdg.org Major CDMA Network Operators: Verizon, Sprint, Alltel, Leap, U.S Cellular GSM / 3G GSM (UMTS) Worldwide: +4.5 Billion Subscribers (including 3G, WCDMA, HSPDA) source: gsmworld.com Major U.S GSM Network Operators: AT+T, T-Mobile, Alltel, SunCom, Dobson, CellularOne SIM Card iDEN – Operators – +30 Million subscribers Major iDen Operators: Nextel, SouthernLINC Wireless, Boost (MVNO) Telus (Canada) A Motorola Technology – Only Motorola Phones! GSM and iDEN Both Use The SIM Card: Subscriber Identity Module Mobile Device Forensics Overview Cell Phone Forensics Short History  Originated in Europe and focused on the GSM SIM card Roaming of Devices from Network and Spectrum Required - I.D Info on SIM – Also SMS, Phonebooks, and Last Numbers Dialled on SIM  Terrorist use of phones as IED detonators Increased the demand for mobile forensics Mobile device forensics is making a real impact in the war on terror  Adoption Has Moved Quickly From Federal to Local Level and Now Enterprise, Prisons, Schools, etc Mobile Device Forensics Overview Mobile Device Forensics Today Now Used Widely Around the World    80% of All Criminal Investigations in Europe Involve Mobile Device Forensics 90% of All Criminal Investigations in UK 70% in US (estimate and growing) Quickly Becoming The Necessary Part of Every Investigation! Mobile Device Forensics Overview Cell Phone Forensics First Lesson: Cell Phone Forensics While is TheNOT Intent Is Similar, The Method Is Different Computer Forensics! Mobile Device Forensics Overview The Big Difference:  Computer Forensics: – Only a Few Major Operating System Standards: Windows, Mac, Linux Standard practice is to image the Harddrive and Examine Data  Cell Phone Forensics: – Multiple Operating Systems Various Communication Standards Each manufacturer has their own: Nokia, Samsung, Motorola, Palm, Blackberry, etc., etc Communication Standards Evolving Started this way but is consolidating to four or five Mobile Forensics is becoming more like computer forensics in some ways  Mobility Aspect: - Phones are Live Things Roaming Around It’s not just about what’s on the device, but where has it been and what connections have been made? Networks Are Managing The Massive Data in Different Ways – Lots There What’s retained by the network varies from carrier to carrier, but apart from the billing essentials, not much data is saved after 30 days Some Exceptions Mobile Device Forensics Overview “The results were astounding In a six-month period — from Aug 31, 2009, to Feb 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.” http://www.nytimes.com/2011/03/26/business/media/26privacy.html?_r=1 Despite Exceptions - Better to Get Data Sooner Than Later Location and Data Content Doesn’t Typically Does Not Last Long in U.S – Economics of freeing up storage for networks Mobile Device Forensics Overview Another Difference: Phones Are Always Updating – Proper Handling and Isolation Are Essential  Cell Phone Forensics is not technically “forensics” We are just starting to image the drive Mostly we are engaging it to tell us what’s in there and then recording and analyzing  Proper training in handling and processing phones is essential in reducing the risk of loss or contamination  While the acquisition of data is relatively easy, it often requires putting an Agent on the device to assist with data extraction  A phone is always updating with the network, and remote destruction is possible Proper isolation of the device from the network and immediate analysis is best when possible Mobile Device Forensics Overview SIM ID Cloning Cloning SIM Card – Reinsertion of Cloned SIM Card with No Network Connection Ability Tricks Phone Into Thinking Proper SIM is In No Data Loss Best Option When Phone is Dead or no PIN is Set Mobile Device Forensics Overview Where Are We Headed? Network Technology Converging      LTE Is New 4G Standard Coming “Long-Term Evolution” - 4G Term Used Liberally LTE Will dominate US Data , as Opposed to Current Split Between CDMA / GSM Networks Will Be Easier to Analyze FemtoCells Will Assist in Location Research Standardized Cables for Power Billion Mobile Broadband Subscribers by 2014 Ovum Research, May 2009 Mobile Device Forensics Overview Where Are We Headed? It’s a Smart Phone World, After-all Smartphone Use:  True Convergence Happening: Higher processor speeds, better apps, location services, more storage, social networking, broadband adoption Networks Can’t Keep Up With the Demand Smartphone Stats:      Sales Doubled (96%) in U.S over 2009 (all handsets grew 35%) Now Represent 20% of total Phone Market 55 Million units were shipped in Q1 2010 Operators pushing smartphones for more data revenue 120 Million 3G Subscribers in US in 2010 Mobile Device Forensics Overview Where Are We Headed? It’s a Smart Phone World, After-all Android Sales In U.S overtake iPhone Android Grew 886% worldwide year-over-year (Canalysis) Gartner Group In U.S Smartphone Leaders: Blackberry 33% Android 27% iPhone 23% Mobile Device Forensics Overview Where Are We Headed? It’s a Smart Phone World, After-all Jefferies Technology Conference, Qualcomm Presentation – Sept 16, 2009 Mobile Device Forensics Overview Where Are We Headed? It’s a Smart Phone World, After-all Processor and DRAM performance improvements will enable the mobile device to rival the desktop in next-gen devices Latest Storage Capacity: 8GB internal 16GB expansion Expect 100% Increase Per Year ork Netw 3G erat Ge n ions 4G “LTE” - 2014 Better enterprise applications, video, navigation, and social networking capabilities will make analysis more necessary Chart from: “The Next Generation of Mobile Memory” presented at MemCon2008, by Rambus Inc Mobile Device Forensics Overview Where Are We Headed? Multiple Networks – Not One Winner Jefferies Technology Conference, Qualcomm Presentation – Sept 16, 2009 Mobile Device Forensics Overview Where Are We Headed? Cable Mayhem Will End From This Today… Five Years? Global Standard is Going Micro USB Mobile Device Forensics Overview Dominant Mobile Operating Systems Phones and Tablets Mobile Device Forensics Overview Still Plenty of Throw Away Phones Mobile Device Forensics Overview A Word About MVNOs Mobile Virtual Network Operators    What are They?: “Virtual” operators selling mobile services Operating on larger networks Why are They?: Marketing to specific demographics Reduce contract restrictions Who are They?: GSM + CDMA T-Mobile GSM Sprint CDMA Nextel iDEN Verizon CDMA Cingular GSM Sprint CDMA Mobile Device Forensics Overview A Word About MVNOs A Challenge for Forensic Efforts  Plans and Devices often Paid for in cash No contract, no identity tied to the device or service contract  Often a disposable solution for criminals  Some proprietary devices not widely supported by forensic solutions (this is changing) This Does Not Mean There is Not Valuable Data on Device  SIM Card Data (TracFone, Boost, T-Mobile)  Last Numbers Dialled on Device/SIM  Call Logs, Call Durations  Pictures  Text Messages (message identifiers) Mobile Device Forensics Overview Call Spoofing And How Forensics Can Determine if There Was Spoofing Spoofing is a service that allows callers to mask themselves and where they are calling from      Pay for the service – Get a Unique PIN Code – Call 800 Number Enter PIN Code – Enter Number to Call – Enter Number You want to show up on the Recipient’s Caller ID Alter voice (an option provided) – Make call and the recipient will see on their Caller ID the Spoofed number The Only Way To Determine if a Call Was Spoofed is to Analyze the Call Record’s of the Genuine owner of the Spoofed Number These records will show and prove if a call was, in fact, made at the time and date by the actual owner of the number If it is not on their records as an outgoing call They DID NOT MAKE THE CALL Also, the Phone Will Keep This Data – Accessible with Tools Mobile Device Forensics Overview Recommendations: Good Training, Become Friends with the Networks and Learn Cell Site Analysis   While the phone can be examined, so can the network, and the relationship of the user on it Call data records analysis can piece the puzzle together and save lives Retracing a user’s position on the network, and confirming location data can be achieved with Cell Site Analysis Coverage data provided by the networks is not accurate and can sometimes be way off Thank You! www.MobileForensicsCentral.com 16 Knight St., Norwalk, CT 06851 (203) 855-5387 : www.TeelTech.com info@teeltech.com