Premium Essay

Mobile Forensics


Submitted By shamix
Words 11661
Pages 47
Interested in learning more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Mobile Device Forensics
Copyright SANS Institute
Author Retains Full Rights
AD© SANS Institute 2009, Author retains full rights.
© SANS Institute 200 9, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Mobile Device Forensics
Mobile Device Forensics
GCFA Gold Certification
Author: Andrew Martin
Advisor: Joey Niem
Accepted – August 29, 2008
Andrew Martin 1© SANS Institute 2009, Author retains full rights.
© SANS Institute 200 9, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Mobile Device Forensics
Table of Contents
Abstract......................................................................................................................... 4
Devices............................................................................................................................ 5
Tools – General......................................................................................................... 5
Motorola Razr V3C.................................................................................................... 7
Scenario..................................................................................................................... 7
Tools............................................................................................................................. 8
Techniques................................................................................................................. 9

Similar Documents

Premium Essay

Mobile Forensics

...Abstract Mobile forensics involves recovering and retrieving digital evidence or data from mobile devices under forensically sound conditions utilizing established methods (Ayers, Brothers, & Jansen, 2013). The field of mobile forensics is complicated as the variety in providers, manufacturers, propriety technologies and formats are extensive. These challenges are coupled with the fast release and upgrades to mobile devices making a forensic investigator’s job more arduous in attempting to examine and analyze these devices for the purpose of recovering data and evidence (Martin, 2008). This white paper will focus on the challenges of mobile device technology, the methodology utilized in examining these devices to recover data which is crucial to security investigations; which includes the tools, techniques and procedures necessary for gathering data from various similar devices. This paper will also focus on the training and expense of acquiring efficient forensic investigators and, as well as impending approaches for addressing challenges. Introduction “The goal of mobile forensics is the practice of utilizing sound methodologies for the acquisition of data contained within the internal memory of a mobile device and associated media providing the ability to accurately report one’s findings” Mobile devices, contrary to popular belief, includes an array of devices not limited to cellular phones and smartphones, but also include table devices, mp3 players, digital cameras...

Words: 1628 - Pages: 7

Free Essay

Mobile Forensics in Healthcare

...2009 Eighth International Conference on Mobile Business Mobile Forensics in Healthcare Connie Justice, Huanmei Wu Computer & Information Technology Purdue School of Engineering and Technology Indiana University Purdue University Indianapolis 799 W. Michigan St., ET 301 Indianapolis, IN 46202 {cjustice, hw9} Abstract -- Mobile communication has been heavily applied in the current healthcare system for health information exchange. Patient information security has become a major concern, especially with the wide adoption of electronic medical records. Mobile Forensics has been utilized by law enforcement to systematically procure and preserve mobile evidence. However, the adoption of mobile forensics in the healthcare lags behind. The goal of our project is to examine the options and to provide recommendations for adoption and customization of mobile forensics in the healthcare field. An open-ended survey of local healthcare and related facilities around Indianapolis has been explored to examine the current status of Mobile Forensics in the healthcare field. The results have been evaluated using statistical analysis. A methodology is being proposed that would use mobile forensics procedures taking into account the regulatory measures that have to be instituted due to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Keywords-mobile forensics, healthcare. Evelyn Walton Informatics Indiana University Purdue University Indianapolis 799 W. Michigan...

Words: 4340 - Pages: 18

Premium Essay

Emerging Cybersecurity Strategies

...Abstract: Advanced cyberattacks on the public and private sectors at the local, national, and international level have prompted an increase in funding and support for the study of emerging cybersecurity technologies. The considerations for this paper are to discuss the emerging technologies and strategies that can be integrated across the public and private sector to improve cybersecurity on a local, national, and international level. New technologies need to dynamically assess networks real-time such as with the use of Remote Agents and Real-time forensic analysis. These technologies also need to make the attack space less predictable and constantly evolving such as through the use of moving target defense. Emerging Cybersecurity Technologies The E-government Act of 2000 was signed by President Bush to move toward a more 24-7 government. The dream was to eliminate the need to have to stand in line at the DMV for half a day just to pay annual vehicle registration fees (Barker, 2011). Security was certainly a concern, but it was not at the forefront of the move as government agencies would go through massive changes in equipment, manning, and practices in order to move information and programs online. Now, over a decade later we still see moves and changes taking place, such as the department of Veterans Affairs recently moving all of their applications, forms and records online. The expensive cost of getting the government caught up was expected with such an overhaul...

Words: 2624 - Pages: 11

Premium Essay


... Exam Code: 312-49 Exam Name: Computer Hacking Forensic Investigator Practice Testw CHFI-1-105 QUESTION 1 When a file or folder Is deleted, the complete path, including the original file name, Is stored In a special hidden file called "INF02" In the Recycled folder. If the INF02flle Is deleted, It Is re-created when you _______ A. B. C. D. Restarting Windows Kill the running processes In Windows task manager Run the antivirus tool on the system Run the anti-spy ware tool on the system Correct Answer: A Section: (none) Explanation Explanation/Reference: A QUESTION 2 Graphics Interchange Format (GIF) is a ___________RGB bitmap Image format for Images with up to 256 distinct colors per frame. A. B. C. D. 8-bit 16-bit 24-bit 32-bit Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 3 The IIS log file format is a fixed (cannot be customized) ASCII text-based format. The IIS format includes basic items, such as client IP address, user name, date and time,service and instance, server name and IP address, request type, target of operation, etc. Identify theservice status code from the following IIS log., -, 03/6/11, 8:45:30, W3SVC2,SERVER,, 4210, 125, 3524, 100, 0, GET, / dollerlogo.gif, A. B. C. D. W3SVC2 4210 3524 100 Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 4 International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer...

Words: 11383 - Pages: 46

Premium Essay


...Digital Forensics is an important aspect to computer systems security. I mean we are talking about Identifying, Collecting, Preserving, Analyzing, and Presenting evidence digitally. Therefore, preserving electronic evidence is important. Investigating Data Theft is a malice act towards a company/ organization (Kruse, 2001). Such theft is made by an employee that is either terminated or resigning. Motives for data theft include setting up a competing business, using the information at a new job, sense of ownership of what was created, and revenge against the employer, among other things. Common Theft include, customer information, financial records, software code, email lists, strategic plans, process documents, secret formulas, databases, research and development materials, and employee records. Now, with such theft around, we often wonder how is such theft achieved. Knowing how technology is always advancing each year, the millennium era grows with fascinating knowledge on the know how to working a computer, hard drives, etc. Tools like flash drive, which can hold thousands of documents that can be copied to the flash drive, and taken anywhere. Then you have Dropbox, remote desktop connections, personal email accounts, smart phones, CD’s/DVD’s, and FTP ( File Transfer Protocol ) (Kruse, 2001) There is always this saying, that personnel who steal data often leave a trail of digital evidence that proves invaluable when investigating data theft. We as the forensic specialists...

Words: 1774 - Pages: 8

Premium Essay

Nt1310 Unit 4 Forensic Tools

...ENVIRONMENT During the implementation phase, various types of com- puters and mobile devices were chosen to check the extent of support of the selected forensic tools. It is not necessary to use the same computing devices or smart phones while working with similar systems in the future. TABLE I. PARAMETER MAPPING Data Sources and Information Integration 1) Data Integration from Different Mobile Devices/Sources by A Single Tool 2) Ability to Overcome Encryption And User Locks 3) Privacy of Data Extracted and Modes of Extraction Knowledge processing 1) Speed of Extraction of Data and Accuracy of Data 2) Fault Tolerance of the Forensic Tool Data integrity and validation 1) Data Tampering Detection 2) Data Integrity Management Presentation 1) Collaboration Capabilities of the Forensic Tool Additional Factors 1) Vendor Information (Updates, Data Storage Security, Reliability, Admissibility of Evidence) A. Personal Computer Environment...

Words: 435 - Pages: 2

Free Essay


...1)Introduction; Crime today is at an extreme high. However, forensic science has been there to help solve every crime committed Forensic science is the scientific method of gathering and examining information about the past. The word forensic comes from the Latin forēnsis, meaning "of or before the forum. The word forensic basically means the key to solve a crime.This is the technology used to help forensic teams to analyze and solve crimes.- This is especially important in law enforcement where forensics is done in relation to criminal or civil law,[1] but forensics are also carried out in other fields, such as astronomy, archaeology, biology and geology to investigate ancient times. Forensic Science is used to Identify Criminals Rape, murder, theft, and other crimes almost always leave a devastating mark on the victim. . In modern forensic science, the crime laboratories include photography section, Evidence storage section, identification section, chemistry section, General examination section, Fire arms section, instrument section and crime scene search section. 2)Origins of forensic science: In 16th-century Europe, medical practitioners in army and university settings began to gather information on the cause and manner of death. Ambroise Paré, a French army surgeon, systematically studied the effects of violent death on internal organs.[9][10] Two Italian surgeons, Fortunato Fidelis and Paolo Zacchia, laid the foundation...

Words: 3403 - Pages: 14

Free Essay

Evidence Collection Cases

...investigators can match the suspects DNA to the arson crime scenes. Also TimeFrame Analysis can be used to link any files of interest to the timeframes of the investigation. All these things can help link the suspect to the crimes, and in doing so can help tell the insurance company whether the claims are valid. 2. Case 4-4 (bomb threat) A list of what items should be included in an initial response field kit to ensure preservation if digital evidence. The initial response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. * Small computer toolkit * Large-capacity drive * IDE ribbon cable * SATA cables * Forensic boot media containing an acquisition utility * Laptop IDE 40 to 44-pin adapter, other adapter cables * Laptop or tablet computer * FireWire or USB dual write-protect external bay * Flashlight * Digital Camera with extra batteries * Evidence log forms * Notebook or digital dictation recorder * Computer evidence bags...

Words: 1243 - Pages: 5

Free Essay

Types of Forensics

...FORENSICS Forensics, by and large, is the application of science to the legal process. It is an emerging research domain in India. There are many different types of forensic sciences baring their vital presence possibly in every field of human endeavor. Of these, let us now discuss about the computational, cyber and the DNA forensics. COMPUTATIONAL FORENSICS: The development of computational methods or mathematical and software techniques to solve forensic issues is called computational forensics. These methods analyze the evidence beyond human cognitive ability. They scrutinize a large volume of data, which is at any case impossible for a human mind to figure out. In spite of this, we can’t say that these techniques alone would serve our purpose because computational forensics is a field which needs huge collaboration between recognition and reasoning abilities of humans combined with comprehension and analytic abilities of the tool or a machine, which is most of the times, a computer. Computational forensics aids us to model the uncertain. At the crime scenes, we usually get incomplete or broken evidences. These evidences are later on modeled by the computational forensic tool which gives us first clues from its largest biometric database (fingerprints, criminal histories, mug-shots, scar and tattoo, physical characteristics like height, weight, hair and eye color and aliases), which is a collection of significant information regarding the criminals, their criminal history...

Words: 1917 - Pages: 8

Premium Essay

Unit 4 Assignment 2 Digital Evidence Procedures

...Lowry Williams IS 4670 Cybercrime Forensics Unit 4 Assignment 2 Write a digital evidence procedure When you are collected digital evidence you need to take the up most care with this kind of evidence. This kind of evidence may be found on your computer ,or your laptop or a cell phone or even a USB flash memory device. In the physical evidence or any other kind of evidence you would want to follow the chain of evidence. When it’s comes to digital evidence you would want to follow the chain of custody, this is a road map that shows of how the evidence was collected so that it can be analyzed and to preserved the order that it may be presented as evidence in court. Digital evidence plays a very important role when it comes to a forensic investigation. The digital evidence has to be collected, handle and/...

Words: 670 - Pages: 3

Premium Essay

Data-Hiding Techniques

...Undelete 360 is the free version of a commercial product, and so leaves out some useful features (file filtering, previews and so on). These still appear in the interface, though, and suggest you upgrade if you ever click on them, which can be annoying. There are no restrictions on the amount or size of the files you can recover, though, and otherwise the program is very simple to use: point it at a drive, it'll scan for deleted files, then you can view particular file types (JPGs, PDFs, videos and more) by choosing them from a tree. Scanning speed isn't great, but Undelete 360 can recover files that other programs miss, and so it's definitely worth considering [ (Williams, 2013) ]. Standard undelete programs are perfect for recovering a few files, but if you've lost an entire partition then you'll probably benefit from a specialist application like MiniTool Partition Recovery. The free (for personal use) program has a wizard-based interface which makes it very straightforward to use. Point MiniTool Partition Recovery at the problem drive, specify the area to be searched, and it'll scan for the missing partition. A report will let you know what the program has found, and you can recover the partition in a few seconds. You don't get a bootable recovery disc here, so if your system partition is damaged then MiniTool Partition Recovery won't help you very much. Otherwise, it provides a quick and easy way to locate and restore lost partitions [ (Williams, 2013) ]. A tool called...

Words: 1131 - Pages: 5

Free Essay

Criminology Level 3

...found. It will be discussed having the implications of poor packaging and the results which lead to contamination of all evidence if not packaged properly and the outcome when it is taken to court also the reliability of the CSI’s involved. It is also the job of the CSI to make sure all health and safety procedures are in place before handling and taking any piece of evidence as there are varying risks involved like sharps, contamination of evidence, weather conditions other witnesses interfering with the scene, other personnel and any form of biological hazards. These must be taken seriously and analysed before any search. Unit 5 1. Detail the forensic evidence that would have been taken away from the scene by the perpetrator. The crime scene is probably the most important part of any criminal investigation. It is where forensic science starts. Locard’s Principle states that every contact leaves a trace (Locard, 1928). This is the primary rule of scene investigation – you are looking for ‘contact’ evidence that will help solve the crime. This trace may be in the form of a specific recoverable material, such as a chip of paint, or that of a mark or impression, such as a fingerprint. This physical evidence must be protected against loss and contamination and be...

Words: 2900 - Pages: 12

Premium Essay

Welcome to Homicide

...Welcome to Homicide Forensic Science is a fundamental component of the justice system. Forensic scientists use scientific techniques and knowledge to assist law enforcement in investigations and solving crimes. They collect and analyze numerous types of evidence, including blood, body fluids; DNA; and human tissue. Forensic scientists assist the decision makers by showing the prosecutor if the issue has merit before it reaches the courtroom thereby reducing the number of cases having to be heard. Their decisions are based on scientific investigations and not circumstantial evidence or unreliable witnesses. Forensic scientists can restore faith in the judicial system with the use of science and technology for facts in criminal and civil investigations. The legal system is established on the belief that the legal process results in justice for all. History of forensic science The history of Forensic science or the applying of scientific principles to legal questions has a lengthy and interesting history. The first recorded autopsy was reported in 44 B.C was on Julius Caesar, where the Roman physician, Antistius proclaimed that he had 23 wounds on his body but only one was fatal. In 1248, a Chinese book entitled “His Duan Yu” (meaning The Washing Away of Wrongs) explaining how to tell apart a drowning from a strangulation. This was also the first recorded use of medicine to assist in solving crimes. In 1590, the first microscope was developed. In 1775, Karl...

Words: 2382 - Pages: 10

Free Essay

Conviction of Wrong Man

...Expert Witness Helped Convict Wrong Man A panel of six independent forensic scientists stated, in a report filed in a Houston State court, that crime laboratory supervisor James Bolding helped convict an innocent man of rape in 1987. Because Bolding either lacked basic knowledge of blood typing or gave false testimony, George Rodriguez spent 17 years in prison for a rape that he did not commit. Bolding’s testimony in the case was challenged amid a scandal that led to retesting of evidence in 360 cases; And with the report filed, that number could increase by the thousands, involving 25 years of cases. “The panel concluded that crime laboratory officials might have offered ''similarly false and scientifically unsound'' reports and testimony in other cases, and it called for a comprehensive audit spanning decades to re-examine the results of a broad array of rudimentary tests on blood, semen and other bodily fluids” (Liptak and Blumenthal, 2004). There have been many cases where forensic science and law enforcement experts have provided sworn testimony, documents, or reports intended for the court that contain unreliable or misleading information, findings, opinions, or conclusions. Some are found to have been intentionally offered by the expert in order to secure an unfair or unlawful conviction, via ‘fitting the evidence to the crime’. A state audit of the Houston police department (HPD) crime lab, completed in December 2002, found that HPDs DNA technicians there...

Words: 538 - Pages: 3

Premium Essay

Information System Technology

...Assessment Worksheet Documenting a Workstation Configuration Using Common Forensic Tools Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview In this lab, you performed a forensic analysis of a Windows 2012 machine using three commonly available tools: WinAudit, DevManView, and Frhed. You reviewed the forensic capabilities of each tool, using the sample files provided, to determine any clandestine threats or vulnerabilities such as viruses and malicious software. You also recovered a file that was altered to hide its native file format. You documented your findings in a forensics report. Lab Assessment Questions & Answers 1. What is the main purpose of a software tool like WinAudit in computer forensics? 2. Which item(s) generated by WinAudit would be of critical importance in a computer forensic investigation? 3. Could you run WinAudit from a flash drive or any other external media? If so, why is this important during a computer forensic investigation? 4. Why would you use a tool like DevManView while performing a computer forensic investigation? Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. Student Lab Manual ...

Words: 295 - Pages: 2