write a report about this case study and include your comment about this case total one page double lines font 12
paper2.pdf
Unformatted Attachment Preview
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/316849054
A Case Study for Mobile Device Forensics Tools
Conference Paper · April 2017
DOI: 10.1145/3077286.3077564
CITATION
READS
1
977
2 authors:
Rodney Wilson
Hongmei Chi
Florida A&M University
Florida A&M University
2 PUBLICATIONS 1 CITATION
52 PUBLICATIONS 160 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Implement Hands-on Labs for File Integrity via Open Sources View project
NOAA Center for Coastal and Marine Ecosystems View project
All content following this page was uploaded by Rodney Wilson on 19 September 2018.
The user has requested enhancement of the downloaded file.
SEE PROFILE
A Case Study for Mobile Device Forensics Tools
Rodney Wilson
Hongmei Chi
Florida A&M University
Department of Computer and Information Sciences,
Tallahassee, FL 32307-5100
615-482-1510
Florida A&M University
Department of Computer and Information Sciences,
Tallahassee, FL 32307-5100
850-412-7355
[email protected]
[email protected]
ABSTRACT
entertainment and media; just to name a few.
Smartphones have become a prominent part of our technology
driven world. When it comes to uncovering, analyzing and
submitting evidence in today’s criminal investigations, mobile
phones play a more critical role. Thus, there is a strong need for
software tools that can help investigators in the digital forensics
field effectively analyze smart phone data to solve crimes.
Since people, as day-to-day users of smartphones, heavily rely on
these devices, they are typically equipped with several gigabytes
of space and have become a storage mechanism. The data we
store on our smartphones include photos, videos, contact
information, messages, notes, etc. This type of data in our digital
world is a gold mine for law enforcement agencies, government
agencies and forensic investigators; the reason being is to utilize
various techniques to extract the information, which can be used
as evidence. To address the concerns about digital forensics data
extraction for smart phones, this poster is intended to demonstrate
a practical investigation on the digital forensics tools that allow
this type of data acquisition. The poster will educate researchers
and investigators on how they can and what they can use to
recover and obtain data from messaging applications on a mobile
device.
This paper will accentuate how digital forensic tools assist
investigators in getting data acquisition, particularly messages,
from applications on iOS smartphones. In addition, we will lay
out the framework how to build a tool for verifying data integrity
for any digital forensics tool.
Categories and Subject Descriptors
I.2.5 [Programming Languages and Software]: Expert System
Tools and Techniques, K.6.5 [Management of Computing and
Information Systems]: Security and Protection, Authentication,
Unauthorized access
General Terms
Mobile, Forensics, Security
Keywords:
smartphone, iOS, open source tools, app, digital
forensics
1. INTRODUCTION
In our society today, people are increasingly connected to the
Internet via mobile devices. The traditional landlines are a thing
of the past nowadays since mobile device utilization is increasing.
Smartphones have become a part of our everyday lives. In fact,
nearly 80% of Americans are now smartphone owners, and for
many these devices are a key entry point to the online and social
networking. Not only have smartphones replaced landlines. In
some instances, smartphones have replaced the need for a desktop
or laptop PC. We now have to ability to use out mobile devices to
communicate, check e-mails, shop, stream various forms of
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or
distributed for profit or commercial advantage and that copies bear this notice and
the full citation on the first page. To copy otherwise, to republish, to post on
servers or to redistribute to lists, requires prior specific permission and/or a fee.
ACM SE 17, Apr 13-14 2017, Kennesaw, GA, USA
ACM 978-1-4503-1203-5/12/03…$10.00
Figure 1. Mobile Security in the U.S. statistics [4].
Meanwhile, the mobile device market provides a great variety of
manufactures and models causing a strong diversity. It increases
the difficulty for choosing proper forensics tools for seizing
internal data from mobile devices. Through this short paper, a
comprehensive perspective of each popular digital forensic tool
will be given, and an inside view for researchers to select their
free sources or commercial tools via a practical investigation will
be provided. In addition, a summary for the future direction for
forensics tools in mobile devices will be discussed.
2. DIGITAL FORENSIC METHODOLGOY
Due to the increase in smartphone usage, these devices contain a
vast amount of valuable data that can be used as criminal
evidence. Thus, there is a procedure to properly acquire the data
to be used through the field of digital forensics. Digital forensics
is the process of analyzing and evaluating electronic data as
evidence. The steps taken to soundly acquire the information must
be well documented and repeatable at any point in time. In this
section, the process of digital forensic extraction of messages
from smartphones will be examined.
3. CHALLENGES WITH EXTRACTING
MOBILE DATA
There are many forms of data on a mobile device. The main types
of evidence stored of devices are call history, contacts, text
messages, multimedia messages, internet browser history, photos,
videos, e-mail and social media data. The challenge is that the
data must be soundly acquired otherwise it cannot be used as
evidence in a case. A recent article mentions the complexity of
mobile extraction. It states “Bergerson explained that cell phones
are not like your traditional hard drive or server—the file structure
is diffuse, volatile, and spread across innumerable apps and
services. When programs go in to copy disk images from a device,
the data you get back is stored in lots of little mini-databases,
many of which have only partial data that can be extracted and
read” [6]. Smartphones with passwords can also make the process
of access the data more challenging. Luckily, according to Figure
1, 64% of people that were surveyed do not use a screen lock or
password.
applications are available on both iOS and Android, we will only
touch on iOS.
5. DIGITAL FORENSICS TOOLS
In every field, the correct tools are needed to complete a job or
tasks. Particularly, in mobile digital forensics, software is one of
the most valuable tools. The software is required to analyze the
device and extract data that digital forensic investigators need.
Some of the open-source software used as tools for mobile
forensics that will be highlighted may include but are not limited
to the following.
5.1 Open-source Tools Overview
In this section, we highlight open-source tools that we used as a
part of our investigation to perform the data extraction.
MOBILEdit: Key Features – brings the ability to control the
phone from your PC. After connecting the phone via cable, IrDA
or Bluetooth, view the contents of the phone on the PC, do fulltext searches, dial numbers, send SMS or MMS messages. With a
simple click, backup all your data, copy them to different mobile
phones and manipulate your contacts.
Results – Successfully able to securely access messages from the
applications.
iBackup Extractor: Key Features – allows you to pull and view
data from an apple device by accessing the most recent iPhone
backup. This tool also has the capability of creating a new backup
of an iPhone. The data types that can be extracted include photos,
contact, calendars, SMS, MMS, iMessages and WhatsApp
Messages.
According to [5], 8 out of 10 mobile examinations involve iOS or
Android devices. Since these operating systems account for the
vast majority of smartphones being used today, the messaging
applications to be reviewed will be selected for only those
operating systems.
Results – Successfully acquired data, including WhatsApp
messages, from an iPhone using the backup made with iTunes.
4. POPULAR MESSAGING APPS
EnCase Forensic 8: Key Features – Acquire data from a wide
variety of devices, complete a comprehensive disk-level
investigation, produce extensive reports on your findings while
maintaining the integrity of your evidence.
Smartphones are often used as a main source of communication.
There are many great messaging applications available that help
us communicate via messaging. A few of the most popular
messaging applications that will be highlighted include in Table 1.
Table 1. Popular Messaging Applications
Application
Operating System(s)
WhatsApp
iOS, Android
WeChat
iOS, Android
Viber
iOS, Android
Line
iOS, Android
KiK
iOS, Android
Though the primary reason for these applications is text messages,
many of them include additional features such as sending video,
audio and photos. Methods of extracting the data in these
messages from the applications in Table 1 through digital
forensics tools are to be emphasized in the poster. Though the
5.2 Commercial Tools Overview
In this section, we highlight some of the top tools used in the
digital investigation industry. A number of top digital forensics
cases were solved with the help of the tools mentioned below.
Magnet Acquire: Key Features – Quick Extraction – a reliable and
quick method for obtaining a logical image from any iOS and
Android device.
Full Extraction – a method allowing users to gather more evidence
through physical images of rooted Android devices or file system
logical images of jailbroken iOS devices.
Cellebrite UFED: Key Features – Logic Extraction: Logical
extraction of data is performed mainly through a designated API.
The API allows commercial third-party apps to communicate with
the device OS to enable forensically sound data extraction.
Physical Extraction: The physical extraction allows the examiner
to access this data by creating a bit-for-bit copy of the mobile
device’s flash memory. Seeing where the data is located within
the device’s memory enables the analyst to interpret the data.
Access Data Mobile Phone Examiner Plus: Key Features – Broad
Support of Mobile Devices, Automated Smart Application
Recovery, Built in iOS and Android Parsers, Hex Interpreter, SIM
and USIM Support and SQLite DB Browser.
Dr. Fone (Trial-version): Key Features – With the highest
retrieval rate in the industry, one can recover photos, videos,
contacts, messages, and call logs.
6. DATA EXTRACTION
By using some of the tools mentioned in section 5, we were able
to successfully extract some data from a smart phone. The smart
phone used for the extraction was an iPhone 6, 16 GB running
iOS 10.2 operating system.
6.1 Data Extraction Tools
iBackup is one of the tools in the practical investigation used to
obtain some data.
7. DATA VALIDATION
A crucial part of a digital investigation is data validation. Data
validation is performed to ensure the integrity of the data is kept
after it is extracted from a smartphone. If the data is altered in any
way, investigators cannot use it as evidence because it can be
viewed as tampered with which makes it illegitimate in a case.
The best practice is to use multiple validate tools to ensure that the
extracted data is an exact copy of the original data from the
device. Two or more tools should be used and the results should
be compared. If identical results are found, then the data
extraction was successful. The checksum of digital data is used to
determine if something has gone wrong with the data. MD5 is a
cryptographic hash function in which the algorithm intakes
random data and returns a 128-bit hash value as the output. By
examining the MD5 checksum of the data can perform this type of
validation.
The MD5 checksum is the digital fingerprint of a file. The value
of the extracted copy that is returned is an indication of whether
the data is valid when it is compared with the smartphone data
value. Using tools such as FileVerifier++ and WinMD5 for
Windows and terminal md5 command for MAC OS X, we were
able to obtain the MD5 checksum value. These tools support
various algorithms, including MD5.
7.1 Data Validation Tools
Data validation software is necessary to determine whether the
extracted information has been disturbed during the acquisition
process. As I previously mentioned, it is critical in Digital
Forensics to validate any type of data collected. Otherwise, it is
not sound evidence.
Figure 3. Steps for using iBackup Extractor.
iBackup is one of the tools in the practical investigation used to
obtain some data. Before using the software, we had to create a
backup of the iPhone on iTunes. Then, we were able to select that
backup in iBackup Extractor.
The acquired data was validated with the Terminal on a Mac
running MAC OS X. The Terminal for OS X has a built in md5
command. When the files are retrieved from an extraction tool,
using the Terminal to get the hash of the file helps us validate
them. Alternatively, on Windows, the files found can be uploaded
to a file verification tool such as FileVerifier++. FileVerifier++ is
a Windows application for verifying the integrity of files. There is
a wide variety of other open-source validation software that has
the ability to quickly and easily find checksum.
Once both hash values are acquired, the checksum value can be
compared which dictates validity.
7.2 Data Validation Case Study
In this study, we must first acquire some data from a smartphone.
Then using the data validation tools mentioned in section 7.1,
validate the data.
Figure 4. Messages obtained from iBackup Extractor.
The result post extraction is displayed is Figure 4. The figure
shows an SMS conversation. Although the data was successfully
acquired, this does not determine whether it is of valid use.
An iTunes backup of the iPhone 6 was the first step. Once the
backup was complete, iBackup Extractor was launched. The most
recent backup for the device was selected: “Rodney’s iPhone –
2/15/2017 3:52 AM”. All of the data within that backup, ranging
from call logs to messages to images to voicemail, now become
available through the iBackup Extractor tool. However, we cannot
point to the specific data we need within the tool. Therefore we
must export the artifacts it to an external folder. In this case, they
were exported to the Downloads folder.
Now that we have successfully acquired the data, we need to
ensure that the integrity was kept. For an arbitrary piece of data,
say a JPG image, we want to get the MD5 checksum value. This
is obtained by launching the Terminal. Within the Terminal we
pointed to the Downloads folder (cd downloads command) to
point to where the file was located. Then we typed md5
(command to execute a MD5 checksum value) and the name of
the file, ‘IMG_5493.JPG’.
Figure 5. MD5 checksum value of a file from an iPhone
As we can see in Figure 5, a MD5 checksum value of
‘d878600be2ccb1c52a9ae268b882d37’ was returned. This is the
first value that we need to make the validation comparison.
To acquire the MD5 checksum value of the image of the device,
we will first have to mount the device to the computer. In this
case, the iPhone 6 was mounted to the MacBook Pro. In order to
begin this mounting process, again, we launched the Terminal.
Using a series of commands, including the installation of
Homebrew and later installing the iDevice, we were able to access
the contents of the iPhone. Some of these commands include:
$ git clone https://github.com/osxfuse/homebrew-osxfuse
/usr/local/Homebrew/Library/Taps/osxfuse/homebrew-osxfuse
$ brew tap osxfuse/osxfuse
$ brew install Caskroom/cask/osxfuse
$ brew tap Homebrew/homebrew-fuse
$ brew install ifuse
$ sudo chmod 777 /var/db/lockdown
$ brew install ideviceinstaller
After the device is successfully mounted, we have full access to
the content on the iPhone. Since we used a particular extracted
image for the validation, we want to use the same image for the
comparison. Therefore, we found ‘IMG_5493.JPG’ on the device.
Using the terminal, we point to the mounted directory and run the
‘md5 IMG_5493.JPG’ command. Now that both the checksum
value of the extracted image and the checksum of the image on
the device are equivalent, the extracted image can be used as
evidence since we were able to keep the integrity of it. With
identical checksums, it is safe to say that the acquisition was
successful.
8. CONCLUSION
Overall, the goal of this short paper is to introduce practical
investigating on digital forensics tools for smartphones. By
extracting and validating the data using these software tools, we
can provide researchers on the tools that can they can use in
View publication stats
practicing mobile forensic investigations related to messaging
applications. Smartphones will continue to be the dominant means
of communication for quite some time. Hence, the future for the
field of mobile forensic is very promising. Digital mobile
forensics continues to be challenging and continue to make
advancements with regards to new ways of effectively extracting
data.
While many of the tools mentioned are great at seizing
information from smartphones as a complete image, what we have
found is that they do not currently have an option to partially
extract data. Our future work will consist of methods to extract a
particular type of data sets that the digital forensic examiner will
need in a case. Based on the conducted analysis, a data acquisition
tool that ensures the integrity of acquired data will be developed
to test any tool’s ability to preserve data integrity.
9. REFERENCES
[1]
V. D. Security, “VORMETRIC INSIDER Trends and Future
Directions in Data Security,” pp. 1–24, 2015.
[2] J. Hunker and C. Probst, “Insiders and insider threats—an
overview of definitions and mitigation techniques,” J. Wirel.
Mob. Networks, Ubiquitous…, pp. 4–27, 2011.
[3] M. Maasberg, J. Warren, and N. L. Beebe, “The Dark Side of
the Insider: Detecting the Insider Threat through
Examination of Dark Triad Personality Traits,” 2015 48th
Hawaii Int. Conf. Syst. Sci., pp. 3518–3526, 2015.
[4] Blue Coat Systems, “Why Your Mobile Device Isn’t As
Secure As You Think”, 2013,
https://www.bluecoat.com/company-blog/2014-02-20/whyyour-mobile-device-isn%E2%80%99t-secure-you-think
[5] Magnet Forensics, 2015.
https://www.magnetforensics.com/mobile-forensics/
[6] G. Hernandez, “Mobile Data Extraction 101: How to Deal
With Complex Mobile Data Structuring”, 2017,
http://www.law.com/sites/almstaff/2017/02/02/mobile-dataextraction-101-how-to-deal-with-complex-mobile-datastructuring/?slreturn=20170110211740
[7] Anglano, Cosimo. “Forensic analysis of WhatsApp
Messenger on Android smartphones.” Digital Investigation
11.3 (2014): 201-213.
[8] Azfar, Abdullah, Kim-Kwang Raymond Choo, and Lin Liu.
“An android social app forensics adversary model.” System
Sciences (HICSS), 2016 49th Hawaii International
Conference on. IEEE, 2016.
…
Purchase answer to see full
attachment
