 So this week we're going to be talking about mobile device forensics, starting to work with mobile devices, all the different types of mobile devices, and how we normally go about acquiring data and analyzing the data from them. So first off, the biggest thing to think about with mobile devices is that there's no single standardized method for accessing all mobile device data. So think about all of the different types of phones or tablets or anything we consider a mobile device now, even smart watches and things like that. They don't all have the same, necessarily the same interface. They don't have the same software. So trying to make a general approach to acquiring data from mobile devices is very difficult. With computer systems we basically have PCs and Macs more or less. With mobile devices or even these kind of smart devices now we have a lot of different architectures that we're dealing with and that makes it very difficult to first off acquire data and also analyze the data structures because there's many different types. Luckily within the last few years we have somewhat standardized at least smartphones and the way that smartphones are accessed, so we essentially have a few different types but they're very, very common. Most people have more or less three or four, one of the big four types of devices that we can access. So we pretty much know what we're going to find whenever we get, for example, a mobile phone. So there are a lot of tools now that can access the more common types of phones. However, there are some, for example, Chinese brands that completely change the way that they do wiring or they completely change software. We run into problems with those sometimes. So just be aware whenever it comes to mobile, I will talk about basically the most general approaches to acquiring data but technically the way that we get that data will be very different depending on what type of device you're looking at. And it also depends on the software and the tools that you have available. I'll be going over some of the free software that we use and I'll be also covering mostly Android devices just because at least in Korea they're the most common and they're in some ways easier to work with than other types. With mobile devices there are some companies that have software that can do quite a bit of automated analysis of mobile device data but in my experience most of the time you're going to have a lot of manual analysis with mobile device data. The process of acquiring data is starting to get a little bit easier but the process of analyzing that data is still pretty manual. However you can write your own tools, we'll talk maybe a little bit about writing your own tools for examination. That being said there's no single tool that will cover all mobile devices and all situations. So all of the tools that are out there, there are some very good tools that are very comprehensive in both acquisition and a little bit of analysis but they won't cover everything. So especially if you're dealing with law enforcement you're going to get a lot of different types of devices in and sometimes your tools just won't work. Some devices will be too old so your tools can't support them. Some devices will be too new so your tools can't support them. Some devices maybe the manufacturer just never saw before so they don't have a way to acquire that data. So when dealing with mobile devices the investigator has to know a lot more than just one simple tool. They have to know how to access this data manually essentially. So for forensic preservation we always start just like with computers. We want to preserve the data on the suspect or victim's device. In this case it just happens to be a mobile device, most likely a phone. In Korea it's most likely a smartphone, not just a phone but probably a smartphone and also could be things like the smartwatches like I said. They also potentially have some information on them that could be relevant. So the easiest way just like with computers, the easiest way to preserve information about the device is just manual examination. So the examiner manually accesses the phone through the user interface. So you have a cell phone for example and you want to know who are in the contacts list so you unlock the phone if you can and then go to the contacts list and scroll down and basically take pictures from there. This is the least forensically sound because you are modifying data on the phone. You are accessing the phone directly but sometimes that's the only way we can get access to data. So this kind of manual operation of the user interface can produce valid results but your documentation has to be very good and you have to justify why are you interacting with the phone directly. So it's potentially the easiest but also the least forensically sound. To ensure that all details are documented in the chain of custody is preserved this process is normally photographed or videotaped. So there are some devices for example like a video camera that essentially hangs over the phone and you can access the phone directly so it records everything that's going on. That seems to be one of the most common ways if we have to do a manual analysis of the phone using the interface. Only data available through the operating system is retrievable. So the big if we're looking only for user information this might be an acceptable way to get access to it because we can potentially access like chats, Kakaotalk, Facebook, Instagram, all of those things using the user interface just like the suspect or just like the victim would however there's a lot of information that we will not be able to recover that is limited essentially to the operating system only. So we're going to be missing a lot of information. If we're just looking for basic account information it's okay if we're looking for contacts or who called the phone, who was this phone used to call, things like that then this method might be a way to go. Next is a logical acquisition via the communication port. So all phones or all mobile devices have usually some sort of communication port. On a lot of devices it's the same as the charging port. You can for example your charging point can also be USB connection to your computer so you can transfer files or whatever. It could also be for example a wireless connection. So Wi-Fi, Bluetooth, all of these connections are on a lot of devices these days. So you might be able to get access to the device from one of these interfaces and basically do a logical acquisition or an acquisition of the partition information on the disk. We normally go through the USB port on newer phones, whatever the connection port is, we connect it via USB and we can normally get access to most data on the system but not all. So logical acquisition methods interact with the mobile devices using protocols such as AT commands and OBEX or object exchange commands. Mostly we're using AT commands to talk to the low level hardware of the phone and try to get that low level hardware to give us raw data. There are tools that automatically do this. Again it depends on the operating system we're using but I'll give you instructions on how to do that with your own phone if you want to try. But AT commands are basically very very low level computer commands that we can give most devices. And this only extracts data that is available again through the operating system. So we're not getting any special access whenever we do this. The operating system itself is still restricting us from getting access to all of the data. We can only get access mostly to user accessible areas. So the next is a physical acquisition via communication ports. So again using USB connection to try to get a physical image of the disk rather than just a logical image. This is actually going around the operating system rather than using the operating system directly. This extracts the memory contents and their entirety through the communications port. It's also much more difficult to do. So out of the three that I've talked about so far this is much harder than the other methods. The other methods can get us a lot of user data but maybe the court doesn't accept it for some reason. They want a full disk image. The full disk image is possible but also much more difficult to get. Interpreting the extracted binary is dependent on understanding how the phone stores data in memory structures. So again we're getting raw data from the phone and we have to understand how to parse out those data structures. So not only is the acquisition more difficult but the actual analysis of the data becomes much more difficult as well. If it's a popular type of phone or a popular operating system there are tools to help you. But if it's a new phone or a new operating system or just a new data structure that nobody knows about you'll have to do it yourself. So it becomes very tricky to analyze mobile data if it's a physical acquisition. Next is physical acquisition using JTAG. This is quite a popular method for really advanced mobile device forensics. I'll give links to JTAG and what JTAG is, how it works on the form. It uses a JTAG interface which is just kind of a hardware interface to extract memory contents of the device. So we connect via JTAG and then we can read out all of memory from essentially a hardware port. Using JTAG usually requires us to take apart the phone and on most phones that completely destroys them. You can't put them back together. So we only use this in extreme circumstances like terrorism cases or something where we can justify the fact that we don't want only a logical acquisition and we probably destroy the phone. So in those cases we might use JTAG if it's absolutely necessary. It allows the extraction of full binaries so the whole point behind this is that we can extract all of the data. We still have to know what those data structures are but at least we can get the data and then analyze it later. Acquiring digital evidence view of the JTAG is less intrusive than relying on the device operating system. We're not going through the operating system in this case but interpreting the extracted binary requires a lot of in-depth knowledge. So mobile device analysts who are expert at it might want to do this method but we're nowhere near there. I'll give you information on what JTAG is but we obviously can't practice it in this class unless you want to tear your phone apart. Then you can try physical acquisition via direct memory chip access. So another method we can use is accessing the memory in the phone directly. We again have to take apart the phone if the phone isn't designed to be taken apart we probably destroy it and can't put it back together. But we can get access to the memory chips directly and then just read data directly off of them. It's the most low level and potentially complex acquisition method. It has the same problems as all of the other methods and the fact that we get direct raw data and we have to do all of the interpretation for that raw data. Nothing is interpreted for us. We can provide access to all device content but requires knowledge of interpreting the raw data structures. And this technique should not be used for cases when the original device must remain operable. Korea for certain types of phones are very good at this technique. They have really good experts that can do this and then put the phones back together. But in most cases the phone is going to be completely destroyed. Which is another problem because if you destroy the device that means that first off you might lose some data. But it also means that nobody else can verify the data that was on the device. The device is gone. No third party can come in and audit you which raises huge concerns in cases. So it's advisable but maybe not practical to acquire data from multiple using multiple methods. So for example collecting data using a logical acquisition is relatively easy. We can get quite a bit of information out but not all information. If once we have that information out we already have it in our in our custody let's say then we might want to go to a lower level acquisition method that may lose data or may destroy the device. Because at least we have a backup copy and we can say okay the user data is here and it's valid. So really the question is how do we connect to these devices? How can we connect and how can we get information from the device? The easiest way is basically connecting via USB. For a lot of different types of phones we can install a piece of software on the phone and that software will get access to quite a bit but not all of the data and then send that data to us. That's a very very easy way to do it. And if we're using free tools that's probably what we're actually going to do this week is that method just because it's the easiest. There are some forensic tools that exist that either automate that process or they're able to get lower level access and I'll give you links to those and we'll talk a little bit about them. However those tools tend to be quite expensive. Wireless access and Bluetooth in some cases we can get access to data over the network. Depending on what our case is we might just be able to leave the phone on and connecting over the network and monitor the network connection to get access to data that way. However in most cases like if we're monitoring an app for example it's probably going to send all data encrypted from the phone so we won't get access to much but it might be possible. We might also be able to attack the phone from the network and get remote access to it or load a program in and copy data out. There's a lot of different approaches we can use. Just think about what are all of the ways that I can connect to the phone and potentially install and extract data and we'll talk about the most common ways this week. Extracting data we're normally using AT commands like I said very very low level commands. We use developer tools so for just as an investigator of mobile devices you have to get used to understanding what developer tools do, how they work, where you can download them because those developer tools have low level access to most data on many different types of devices. We can use those developer tools to copy data from the phone in a reliable way and sometimes even send data to the phone if we want to send a program and run it for example. Physical memory acquisition on mobile devices it's more complete and it includes deleted items. It works with damaged devices so sometimes for example we've had cases where suspects had a phone the police came and they immediately threw the phone down and stomped on the phone. It completely broke the glass and the display didn't work but the phone still works in some cases most cases the phone will still work and we can get access to the data from that device even if we can't necessarily see it. It also makes fewer alterations to data it's not easy and it doesn't provide the logical structure of file system. So again the lower level you go you do not get this structure of the file system you can't just pull files directly out you have to actually parse the data. Again a lot of tools can exist or do exist that you can buy that will help you automate parsing of those structures. Okay and then I have some examples of some tools connecting different types of phones to tools. These tools are again quite expensive but also very useful in most cases. If you join law enforcement, if you join a company doing investigations they will definitely have at least a few kits around for different types of phones. So I give you some examples of those. And then we're just thinking about what exactly is the point of the analysis or of acquiring and analyzing the phone. So we have to go through quite a bit of trouble to get data from a phone. So why do we actually want to go through that process? What are we looking for exactly? If we're just looking for a phone number do we need to analyze the entire phone or can we just analyze the SIM card? If we're looking for proof that somebody downloaded MP3s to their phone maybe they downloaded them to an external micro SD card and we can just analyze the micro SD card instead of the entire phone. What exactly are we trying to prove? And again where is that data located? So just like we talked about in the other lectures whenever we're doing our acquisition we're thinking about what am I trying to prove? Where is the data going to be located? With phones it's even more important because there's lots of different types of data. Some data is very easy to get access to, some data is very hard to get access to. So do you need to go through the difficult process of getting all of the data or can some easier data suffice for your investigation? A general investigation approach is first off survey any available items you have. So for mobile devices, for say smartphones, smartwatches, tablets, whatever you have from the suspect what devices do you have and do you know how to get access to data? Do you know how to get access to all of the data or just parts? And do you know how to verify that that data is the same as the original? What are the main sources of information on the mobile device? So again for mobile you might be mostly interested in like cacao talk chats or something like that, MMS, just communication between people. If that's the case you might only focus in on certain programs and not the entire device. We want to recover any deleted items. So just like computers we can recover deleted items, deleted information from the phone. I mean it still has an operating system and on the disk at least it still has a file system just like a computer, the file system is a little bit different but it still has a file system. Which means that in some cases we can recover for example deleted items. So I think there was a case with, what was the program? I think it was Snapchat which said that it's, whenever you send information and you delete a file then that file is completely gone and we found out we could actually recover images that were sent that way. So a lot of these programs make claims that they are completely secure, they're deleting all the information, they might be deleting the information but just because of the way that file systems work, just because the way that data is stored we might still be able to get access to some or even all of the information that they claim was deleted. Then we harvest metadata from the active recovered items. So what kinds of metadata or what kinds of timelines can we create? So with metadata we're mostly interested in timestamps and creating timelines. We're mostly interested in metadata and creating timelines of events. When were these pictures downloaded? When were these pictures taken? And what kinds of timelines on the phone can we actually reconstruct from that? So metadata is a very important component of mobile analysis. And then finally conducting a search and inspection for evidence, basically looking through all the data, looking for keywords, looking for basically anything that we think might be related to our investigation much like we did with computer systems. So the analysis, the acquisition on mobile devices is going to be a little bit different but the analysis is going to be quite similar to desktop computer systems. So that's it for this week. We will actually go through acquiring and doing a little bit of analysis of a mobile device. So that's the homework for this week. Thank you.