Introduction to Mobile Forensics Dr. Darren Hayes Pace University
Computer Forensics is the scientific practice of using digital data in an investigation Mobile Forensics is scientific practice of using digital data, created by a mobile device, in an investigation Definition
To Prove Control Ownership Intent What is the Goal?
Computer Forensics is a Part of Security Computer Forensics is the Examination of Computers Computer Forensics is used to Solve Computer Crimes Computer Forensics is about Recovering Deleted Files Popular Myths
Scope of Mobile Forensics
Always On Personal Voice & Data Multimedia Internet Tracking GPS Importance
Communication through Embedded Chip Different File System Different Information Call Logs Text Messages Active Memory Storage Smaller Onboard Capacity Locational Data What s Different?
1875 Alexander Graham Bell Transmits Sounds 1876 Mr. Watson, come here! I want to see you! 1885 AT&T Founded 1919 First Rotary Telephone 1946 Area Codes Established 1961 Touch Tone Released to the Public 1963 Push-button Telephone History
1973 First Handheld Cellphone Call 1982 Caller ID 1984 New AT&T Formed 1991 GSM Created History
Radio Common Carrier 1960s 1980s Dr. Martin Cooper, Motorola, 1973 2.2 lbs Phone First Handheld Mobile Wall Street (1987) History
1983 DynaTAC Cellphone Released by Motorola 1 lb 9.5 Inches Tall 10 Hours to Charge 60 Mins. Talk Time $3,995 History
Push-to-talk (1993) Motorola StarTAC (1996) RIM BlackBerry (1999) Two-way Pager Motorola RAZR (2003) History
Hardware Cellebrite Universal Memory Exchanger (UME) Wireless Retailers Software Personal Investigations Cheating Spouses History Mobile Forensics
1995 Subscribers: 28.1 million Call Minutes: 31.5 billion 2011 Subscribers: 327.6 million Call Minutes: 2.2 trillion (6 billion Call Mins. per Day) Text Msgs: 5.7 billion per Day Cell Towers: 250,000 29.7% of Households are Wireless Only Statistics (Source: CTIA)
Case Studies
Higinio O. Ochoa Aged 30 Linux Administrator Accused of Being a Part of CabinCr3w Arrested by FBI EXIF Data from iphone Melbourne, Australia Led Investigators to Ochoa s Facebook Page iphone
Michael Jackson Murder Investigation
Conrad Murray Recorded Jackson s Last Words on iphone Judge Ruled that 4-Minute Audio File Was Admissible Conrad Murray Trial
Stolen iphone
April 2012 iphone Stolen on Disney Wonder Cruise Victim Katy McCaffrey Photos Automatically Uploaded to icloud Photo Stream Account Photos of Nelson & Co-workers Uploaded to McCaffrey s Facebook & Sent to Disney Stolen iphone
Times Square Shooting
August 18, 2012 Knife-wielding Man Runs through Time Square NYPD Runs after Suspect: Darrius Kennedy, 51 Bystanders Run Alongside Police with Cellphone Cameras Recording Action Suspect Shot Dead by Police Videos Uploaded to YouTube, Facebook, News Networks Smartphones Seized by Police Time Square Shooting
Precrime creeps closer to reality, with predictive smartphone location tracking http://www.extremetech.com/computing/134422-precrimecreeps-closer-to-reality-with-predictive-smartphonelocation-tracking Localscope App http://www.cynapse.com/localscope Smartphone Intelligence
Brooklyn Quality of Life App http://www.cbsnews.com/8301-504083_162-57492217- 504083/new-smartphone-application-allows-people-toreport-crimes-to-authorities/ FBI Child ID App http://www.fbi.gov/news/news_blog/the-child-id-app-onandroid Law Enforcement Assistance
Forensic Computer Examiner Quick Reference Guide App International Association of Computer Investigative Specialists (IACIS) Forensics on Your Smartphone
Cellular Network Group of Cells Cell Geographic Area Cell Site Tower or Antenna Cellular Network
Cell Tower Radio Mast Often has 3 Sectors 200 Feet High Often Used by Multiple Carriers Transmits/Receives Radio Signals Encrypts/Decrypts Traffic Cell Sites
Receiver Transmitter Receiver Antenna Panel
Mobile Equipment (Handset) Security Identity Module (SIM) GSM Networks IMEI Identifies Mobile Equipment on GSM Cellular Network Mobile Station
Power On Cellphone On Keypad, Type *#06# Practical Locate IMEI
Open Browser URL: www.antennasearch.com Type: 1600 Pennsylvania Ave NW Type: Washington, DC Type: 20006 Practical
Call & Mapping Analysis http://www.cellanalyst.com/ Using Cell Site Analysis Evidence in Criminal Trials http://www.justice.gov/usao/eousa/foia_reading_room/usab 5906.pdf Request Data in Parsed Excel Format Request Keys to Tower Codes Free Mapping http://batchgeo.com/ Cell Site Analysis (CSA)
Subscriber Records Call Detail Records (CDR) Phone Numbers Called/Received Duration Dates Times Cell Sites Quadrant Carrier Evidence
Mobile Equipment (Handset) Subscriber Identity Module (SIM) International Mobile Equipment Identity (IMEI) Analysis of IMEI: www.numberingplans.com & trackimei.com Dial *#06# on Cellphone Type Allocation Code (TAC) Initial 6 to 8 Digits of IMEI http://www.nobbi.com/tacquery.php Mobile Station (GSM)
Mobile Equipment (Handset) Electronic Serial Number (ESN) 2005: Mobile Equipment Identifier (MEID) www.meidconverter.com Subsidy Lock (SPC) Confines User to One Network Mobile Station (CDMA)
Mobile Equipment (ME) FCC-ID Federal Communication Commission (FCC) http://transition.fcc.gov/oet/ea/fccid/ www.phonescoop.com www.gsmarena.com Mobile Station
SIM Card Identifies Subscriber on a Network Contains IMSI GSM
GSM & iden (Motorola) Swapped Out with Unlocked Phones International Mobile Subscriber Identity (IMSI) Mobile Country Code (MCC) First 3 Digits of IMSI Mobile Network Code (MNC) Next 2 to 3 Digits Mobile Subscriber Identity Number (MSIN) Last 10 Digits SIM
Integrated Circuit Card ID (ICCID) 19 to 20 Digits Printed on SIM Major Industry Identifier (MII) First 2 Digits www.numberingplans.com SIM
Code Division Multiple Access (CDMA) Developed during WWII Patented by Qualcomm Users Share a Band of Frequencies Verizon & Sprint No SIM Same Phone Model: GSM or CDMA Motorola RAZR CDMA
Code Division Multiple Access (CDMA) Spread-Spectrum Communications Protocol Wide Band Width Multiplexing Techniques Fiber Optic Verizon Sprint CDMA2000 3G CDMA
Mobile Network Operator (MNO) Owns an RF Spectrum License 4 Carriers AT&T/Cingular (GSM) T-Mobile (GSM) Verizon (CDMA) Sprint/Nextel (CDMA) Mobile Phone Network Operators
Mobile Virtual Network Operator (MVNO) Provides Mobile Phone Service No Licensed Frequency of Radio Spectrum Purchase Minutes of Use (MOU) Do Not Own SIM Cards Example: Virgin Mobile USA (Sprint Nextel) 100+ Carriers Mobile Phone Network Operators
90% of the World has No Cellular Coverage Solution Satelite Phones DeLorme Satelite Phones
Apple ios Google Android Nokia Symbian Samsung Bada Research In Motion RIM OS Microsoft Windows 7 Operating Systems
2011: Tablet Sales 60 Million Units Worldwide 2012: Tablet Sales 119 Million Units Worldwide Statistics (Gartner)
180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 2011 2012 2013 2016 ios Android Microsoft Tablet Sales Projections
Q1: 2012 419 Million Mobile Phone Units Sold Statistics (Gartner)
120,000.00 100,000.00 80,000.00 60,000.00 40,000.00 20,000.00 0.00 1Q 2011 1Q 2012 Statistics (Gartner)
Samsung Galaxy S III 2012 Estimated Sales 30+ Million Units Samsung
January 2010 Nexus One (N1) Released Developed by HTC Unlocked Sold Directly by Google Nexus S Developed by Samsung WiFi Hotspot Capability Internet Calling Near Field Communication (NFC) Galaxy Nexus Coming Soon with Jelly Bean 4.1 Google Nexus
Close Proximity Radio Communication Based on RFID Standards Formed by Sony, Nokia, Philips Google Wallet Credit Cards Loyalty Cards MasterCard PayPass Public Transportation Ticketing Near Field Communication (NFC)
Usage: Payment System Social Media Hotel Keys Near Field Communication (NFC)
8.7% 7.0% 2.7% 1.9% 23.1% 56.6% Android Symbian Bada ios Research In Motion Microsoft Q1 2012 OS Market Share
Networks: GSM iden CDMA Devices: Smartphones Tablets ereaders App Market 700,000+ Android
Samsung, LG, Motorola, etc. Samsung Galaxy Tab Amazon Kindle Android Devices
Cache.wifi Captures WiFi Connections Do Not Need to Connect to Record Can Be Mapped Fb.db Facebook Contacts Chat Logs Messages Photos Searches Evidence
Emailprovider.db Path: /data/data/com.android.email/databases/emailprovider.db Exchange Login & Password in Plaintext HostAuth Gmail Login & Password in Plaintext Evidence
Da_destination.db Turn-by-Turn Navigation.WAV Files Stored Evidence
SMS& MMS Path: /data/data/com.android.providers.telephony Contains: Sender & Recipient Read Status Pictures Audio/Video MMS Path: /data/data/com.android.mms Evidence
PIN-Protect Numeric Password Alpha/Numeric/Character Pattern Lock Gesture Device Security
gesture.key Pattern-Lock Protection Finger Swipe Path: data/system/gesture.key Encrypted with SHA-1 Hash Algorithm Decrypt with Online Tools or Rainbow Tables Security
pc.key Password Protection Path: data/system/pc.key Decrypt with Brute Force or Dictionary Attack Most Difficult to Break Security
PIN Maximum of 8 Digits After Unsuccessful Attempts Enter Gmail Login & Password Security
Questions