• The popularity and the mobility
– It can be used as criminal tool anytime at anywhere. – The relatively large storage space of modern phones makes them a useful tool for data theft. An employee could steal sensitive corporate information by uploading it onto their phone.
Extracting useful evidence from a damaged phone
Computer Forensics Research Group
Mobile Forensics:
Dr. Junbin Fang
Center for Information Security and Cryptography University of Hong Kong August 2011
3
Agenda
• Motivation • Mobile phone forensics – data recovery from internal memory • Mobile phone forensics with JTAG • Demonstration - Extracting useful evidence from a damaged phone • Future works
4
Status of mobile phone industry
• Much more mobile phone usage
– Worldwide mobile phone usage has increased dramatically in the last decade. – Globally, The number of mobile cellular subscriptions reached 5.3 billion (2011), reported by the International Telecommunication Union (ITU).
– Applications on a mobile phone can provide the phone with additional functions and flexible uses.
• Number of launched applications in App Store (iOS): over 500,000, until July, 2011. • Number of launched applications in Android Market: over 250,000, until July, 2011.
15
Forensic toolkits
16
Software approach through OS
• Flashing tools
– Memory copying tools specifically targeted to a certain device. – Two sources
• Manufacturers or service centers who use these tools for debugging and sometimes for in field software updates. • Hackers who use these tools for checking and changing device functionality (“解鎖/ 越獄”)
12
Internal memory acquisition
• Manual acquisition • Software approach through OS – Forensic toolkits + data cables – Flashing tools + data cable • Physical extraction • Utilizing JTAG interface
• Much more computational power
– 800MHz~1.2 GHz for smart phone processor, typically. – Dual core, even Quad core mobile processor
• Much more mobile phone software/apps
• Problems
– – – – Complete memory dump is not ensured! Not support all phones in the market. Specific cables and drivers are needed. The integrity of data may not be guaranteed.
13
Manual acquisition
• Approach
– Investigate the content of the memory through the UI of the phone. – Photographing the evidences.
• Limitations
– Only data visible to the operating system can be recovered. All data are only available in form of pictures. – Not feasible to work with a large memory phone, says 8G bytes. Automated tools are needed for this task.
– *Digital evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial.
2
Agenda
• Motivation • Mobile phone forensics – data recovery from internal memory • Mobile phone forensics with JTAG • Demonstration - Extracting useful evidence from a damaged phone • Future works
7
The task of Mobile forensics
• To retrieve data from mobile phones as evidence in criminal, civil and even high profile cases.
8
Agenda
• Motivation • Mobile phone forensics – data recovery from internal memory • Mobile phone forensics with JTAG • Demonstration - Extracting useful evidence from a damaged phone • Future works
• Much more mobile phone production
– Vendors shipped 371.8 million units in Q1 2011, growing 19.8 percent year-over-year. (IDC)
5
Status of mobile phone industry
Smart phone gets smarter and smarter!
6
Crime with Mobile Phone
• The computing power
– Applications which can be used as part of a computer attack will run on a mobile phone. – Penetration tool BackTrack 5 now can run on a lot of smart phones, such as Motorola, Samsung Xperia X10, Nokia N900, to gain access to a Windows XP system. (May 23, 2011)
(Advanced Cell Phone Forensics, Jonathan Clark MBE)
Where is the evidence
• Three data storage medium
SIM Card 64K-12ห้องสมุดไป่ตู้KB
External Memory Card
Internal Flash Memory
Definition (Wikipedia)
• Mobile forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions.. • In this talk, we focus on the digital forensics on mobile phones, especially the smart phones.
14
Software approach through OS
• Forensic toolkits + data cable