Mobile Forensics – Advanced Investigative Strategies

Table of Contents

Mobile Forensics – Advanced Investigative Strategies

Credits

Foreword

About the Authors

About the Reviewer

www.PacktPub.com

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. Introducing Mobile Forensics

Why we need mobile forensics

Available information

Mobile devices

Personal computers

Cloud storage

Stages of mobile forensics

Stage 1 - device seizure

Seizing - what and how should we seize?

The use of Faraday bags

Keeping the power on

Dealing with the kill switch

Mobile device anti-forensics

Stage 2 - data acquisition

Root, jailbreak, and unlocked bootloader

Android ADB debugging

SIM cloning

SIM card memory

Memory card

Stage 3 - data analysis

Summary

2. Acquisition Methods Overview

Over-the-air acquisition

Apple iCloud

Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10

Google Android

Logical acquisition (backup analysis)

Apple iOS

BlackBerry 10

Android

Nandroid backups

Physical acquisition

Apple iOS

Android

Windows Phone 8 and Windows 10 Mobile

Limitations and availability

Tools for physical acquisition

JTAG

Chip-off

In-system programming

Summary

3. Acquisition – Approaching Android Devices

Android platform fragmentation

AOSP, GMS, and their forensic implications

Android logical acquisition

OEM software

Android acquisition – special considerations

Unallocated space

eMMC storage

Remapping and overprovisioning

Wear leveling

Trimming

What happens to the deleted data?

JTAG forensics

When to JTAG a device

Limitations of JTAG forensics

Step-by-step JTAG acquisition

Chip-off acquisition

Chip-off and encryption

In-system programming forensics

Summary

4. Practical Steps to Android Acquisition

Android physical acquisition

Encryption

Approaching physical acquisition

Encryption status – Is the data partition encrypted?

Service mode available

LG smartphones

Devices based on the Qualcomm reference platform

Mediatek-based Chinese phones

Bootloaded status

Root status

LG smartphones' LAF mode

MediaTek smartphones

Qualcomm bootloader exploit

Qualcomm-based smartphones – HS-USB 9006

Encryption

The Qualcomm 9006 mode

Tools for imaging via Qualcomm Download Mode 9006

Using custom recoveries

Imaging via custom recovery – making a Nandroid backup

Imaging via custom recovery – physical imaging via dd

Imaging the device

NANDroid backups

Is unlocked bootloader required?

Is root access required?

Producing a Nandroid backup

Analyzing Nandroid backups

Live imaging

Live imaging with root (via dd)

Live imaging without root (via ADB backup)

Live imaging using Oxygen Forensic Suite

Google Account acquisition – over-the-air

Why Google Account?

Google Account – what's inside?

A word on Android backups

Google Takeout

Google Account acquisition and analysis using Elcomsoft Cloud Explorer

Two-factor authentication

User alerts

Viewing, searching, and analyzing data

Summary

5. iOS – Introduction and Physical Acquisition

iOS forensics – introduction

Generations of Apple hardware

Is jailbreak required?

Geolocation information

Where is the information stored?

iOS acquisition methods overview

iOS acquisition methods compared

iOS advanced logical acquisition

iOS physical acquisition

Physical acquisition benefits

What's unique about physical acquisition?

The future of physical acquisition

Physical acquisition compatibility matrix

Unallocated space – unavailable since iOS 4

Sending device to Apple

The role of passcode

Physical acquisition of iOS 8 and 9

Tools for iOS physical acquisition

Tutorial – physical acquisition with Elcomsoft iOS Forensic Toolkit

What the does the tool do?

Prerequisites

Acquiring 64-bit Apple devices

Comparing 64-bit process and traditional physical acquisition

Supported devices and iOS versions

Performing physical acquisition on a 64-bit iOS device

What is available via 64-bit physical acquisition

Locked device with unknown passcode

Viewing and analyzing the image

Potential legal implications

Summary

6. iOS Logical and Cloud Acquisition

Understanding backups - local, cloud, encrypted and unencrypted

Encrypted versus unencrypted iTunes backups

Breaking backup passwords

Breaking the password - how long will it take?

A fast CPU and a faster video card

Breaking complex passwords

Knowing the user helps breaking the password

Tutorial - logical acquisition with Elcomsoft Phone Breaker

Breaking the password

Decrypting the backup

Dealing with long and complex passwords

Elcomsoft Phone Breaker on a Mac, inside a virtual PC, or via RDP

iOS Cloud forensics - over-the-air acquisition

About Apple iCloud

Getting started with iCloud Keychain

Getting started with iCloud Drive

Understanding iCloud forensics

Tutorial - cloud acquisition with Elcomsoft Phone Breaker

Downloading iCloud backups - using Apple ID and password

Downloading iCloud/iCloud Drive backups - using authentication tokens

Extracting authentication tokens

iCloud authentication tokens (iOS 6 through 9) - limitations

iCloud Drive authentication tokens (iOS 9 and newer) - a different beast altogether

Quick start - selective downloading

Two-factor authentication

Two-factor authentication is optional

Two-factor authentication versus two-step verification - understanding the differences

Two-step verification

Two-factor authentication

No app-specific passwords in two-factor authentication

Cloud acquisition with two-step verification and two-factor authentication

What next?

Summary

7. Acquisition – Approaching Windows Phone and Windows 10 Mobile

Windows Phone security model

Windows Phone physical acquisition

JTAG forensics on Windows Phone 8.x and Windows 10 Mobile

Windows Phone 8.x device encryption

Windows 10 Mobile device encryption

Windows Phone 8/8.1 and Windows 10 Mobile cloud forensics

Acquiring Windows Phone backups over the air

Summary

8. Acquisition – Approaching Windows 8, 8.1, 10, and RT Tablets

Windows 8, 8.1, 10, and RT on portable touchscreen devices

Acquisition of Windows tablets

Understanding Secure Boot

Connected Standby (InstantGo)

BitLocker device encryption

BitLocker and Encrypting File System

BitLocker and hibernation

BitLocker acquisition summary

Capturing a memory dump

Types of evidence available in volatile memory

Special case – Windows RT devices

SD cards and Windows File History

Imaging Built-in eMMC Storage

eMMC and deleted data recovery

Windows 8 and Windows 10 encryption – TRIM versus BitLocker

Booting Windows tablets from recovery media

Special case – recovery media for Windows RT

Steps to boot from recovery media

Configuring UEFI BIOS to boot from recovery media

Acquiring a BitLocker encryption key

Breaking into Microsoft Account to acquire the BitLocker Recovery Key

Using Elcomsoft Forensic Disk Decryptor to unlock BitLocker partitions

BitLocker keys and Trusted Platform Module

Imaging Windows RT tablets

BitLocker encryption

DISM – a built-in tool to image Windows RT

Must be logged in with an administrative account

Must be logged in

Booting to  the WinRE command prompt

Entering BitLocker Recovery Key

Using DISM.exe to image the drive

Cloud Acquisition

Summary

9. Acquisition – Approaching BlackBerry

The history of the BlackBerry OS - BlackBerry 1.0-7.1

BlackBerry 7 JTAG, ISP, and chip-off acquisition

Acquiring BlackBerry desktop backups

Decrypting the backup

BlackBerry Password Keeper and BlackBerry Wallet

BlackBerry Password Keeper

BlackBerry Wallet

BlackBerry security model - breaking a device password

Acquiring BlackBerry 10

Getting started

BlackBerry 10 backups

BlackBerry 10 - considering ISP and chip-off forensics

Acquiring BlackBerry 10 backups

Using Elcomsoft Phone Breaker

Using Oxygen Forensic Suite

Analyzing BlackBerry backups

Summary

10. Dealing with Issues, Obstacles, and Special Cases

Cloud acquisition and two-factor authentication

Two-factor authentication – Apple, Google, and Microsoft

Online versus offline authentication

App passwords and two-factor authentication

Google's two-factor authentication

Microsoft's implementation

Apple's two-step verification

Apple's two-factor authentication

Bypassing Apple's two-factor authentication

Two-factor authentication – a real roadblock

Unallocated space

The issue of unallocated space

Accessing destroyed evidence in different mobile platforms

Apple iOS – impossible

BlackBerry – Iffy

SD cards

Android – possible with limitations

Android – built-in storage

Unencrypted storage

Encrypted storage

Encryption in different versions of Android

Android – SD cards

Android – SD card encryption

Windows Phone 8 and 8.1 – possible for end-user devices with limitations

Windows Phone BitLocker encryption

Windows Phone SD cards

Windows RT, Windows 8/8.1, and Windows 10

eMMC and deleted data

eMMC and SSD – similarities

eMMC and SSD – differences

Overprovisioning and remapping

User data in overprovisioned areas

Delete operations on non-encrypted eMMC drives

eMMC conclusion

SD cards

SD card encryption

Apple iOS

Android

Windows Phone 8/8.1

Windows 10 Mobile

Windows RT

Windows 8 through 10

BlackBerry OS 1 through 7

BlackBerry 10

SD cards conclusion

SQLite databases (access to call logs, browsing history, and many more)

Summary

11. Mobile Forensic Tools and Case Studies

Cellebrite

Micro Systemation AB

AccessData

Oxygen Forensic toolkit

Magnet ACQUIRE

BlackBag Mobilyze

ElcomSoft tools

Case studies

Mobile forensics

Data recovery

BlackBerry scenarios

Locked BlackBerry devices

Locked BlackBerry, not attached to BlackBerry Enterprise Server (BES)

Locked BlackBerry attached to BES

Locked BlackBerry attached to BES with Pretty Good Privacy (PGP) encryption

Locked BlackBerry, not attached to BES

Locked BlackBerry - completed successful chipoff

Locked BlackBerry - password does not work

Unlocked BlackBerry devices

Unlocked BlackBerry device with no password

Unlocked BlackBerry device with password

Summary

Mobile Forensics – Advanced Investigative Strategies

Mobile Forensics – Advanced Investigative Strategies

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: September 2016

Production reference: 1260916

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham 

B3 2PB, UK.

ISBN 978-1-78646-448-4

www.packtpub.com

Credits

Foreword

Hello reader. I welcome you to a book of knowledge. When Vladimir Katalov offered me an opportunity to write a foreword for their book, I was surprised and also humbled. I have never written a foreword to a book, much less participated in the authoring of a book. I accepted Vladimir’s offer. So here goes.

In the field of digital forensics, there is an overwhelming amount of information to learn and comprehend. Many years ago a highly respected colleague said to me: No man is an island. What did he mean by this statement? From my perspective, this means that you cannot know it all. We as examiners and practitioners in the digital forensics field must learn to impart knowledge responsibly, and share so that we can all learn. In essence, a collective digital forensics knowledge hive, where the answers to our challenges lie within the knowledge hive. This book then is a part of this hive. It is important also not to focus only on the analysis tool, but also on the understanding of the devices and technologies and the methodology used to successfully get the data. This book will also help you understand the underlying technology and methodology.

In the end, I leave you to carry on your journey in this book. I hope you enjoy reading and learning from it as much as I have.

Shafik G. Punja

Police Officer, Digital Forensics Team

About the Authors

Oleg Afonin is a researcher and an expert in digital forensics. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, FT-Day, Techno Forensics, and others. Oleg has co-authored multiple publications on IT security and mobile forensics. With years of experience in the digital forensics and security domain, Oleg has led forensic training courses for law enforcement departments in multiple countries.

Vladimir Katalov is CEO, co-founder, and co-owner of ElcomSoft Co. Ltd. Vladimir manages all technical research and product development in the company. He regularly presents at various events and regularly runs security and computer forensics training both for foreign and domestic (Russian) computer investigative committees and other law enforcement organizations.

Special thanks to Oleg Davydov whose help and advice was truly invaluable. Without Oleg’s deep understanding of Android internals, this book would not be the same. Oleg Davydov is a co-founder and CTO of Oxygen Software. Since 2000, he has been involved in software development related to mobile forensics. For the last 10 years, Oleg has been busy developing mobile forensic tools. Oleg is an expert in cryptography, IT security, software development, mobile forensics, and reverse engineering. Oleg works in the mobile forensics industry, using his experience and understanding of smartphone internals to help law enforcement.

Special thanks to Shafik G. Punja who caught things that we missed. His expertise in acquiring BlackBerry devices was an invaluable help.

About the Reviewer

Shafik G. Punja is a police officer with the Calgary Police Service, having served for over 20 years. He has been working in digital forensics since 2003 and is currently assigned to the Digital Forensics Team (Cyber/Forensic Unit). He has qualified in the Canadian legal system as an expert in the area of digital forensics, and has previously served as guest instructor for the Technological Crimes Learning Institute (TCLI) at the Canadian Police College, in Ottawa, Ontario. His private sector work involves R&D partnerships with various law enforcement colleagues and digital forensics training.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Preface

Smartphone and tablet technology has changed dramatically and rapidly in the last several years and continues to do so at an astounding pace. These smaller computing devices are so common, with the ability to replace their desktop counterparts in human-to-computer interactions. Sit in any café, airport, or public place that offers Wi-Fi and you will see humans with their faces ostensibly glued to their device screens, interacting on their device with such focus, seemingly oblivious to their own physical environment.

Smartphone and tablet devices have become large digital storage vaults that store our personal and professional secrets. Strangely enough, with little faith, we have also begun to allow ourselves to accept backup up of this data to the cloud so that important aspects of our local device storage are now also in cloud storage. Why did I mention cloud storage? Cloud backup data can be accessed outside of the device itself through other processes, when access to the device data itself may be obstructed due to security mechanisms. This book addresses cloud forensics from the various smartphone platforms.

Whilst this could be considered a highly technical book, it is an excellent read for both novices and experienced examiners alike. For those that have read any of the blog articles that have been published by Elcomsoft, you will find a comfortable approach to the way this book has been written.

The authors of this book strive to provide essential information about a number of concepts including the following:

NAND eMMC flash memory

A brief summary of JTAG forensics

NANDroid backups

iOS security and acquisition method

Password breaking on iOS backups

Windows Phones security and acquisition

BlackBerry 7 and BlackBerry data acquisition methods and password breaking

There are of course references to customized tools that are developed by the authors and their colleagues. What this highlights to anyone reading this is that in the field of mobile forensics, no one tool can do it all. I know and say this from experience because I have used all the tools mentioned in this book. All tools have their strengths and limitations. But to be effective, an examiner must have at least several tools to cover the broad range of technology in mobile forensics.

What this book covers

This book is written to represent a natural flow in the e-discovery process, covering the different stages of mobile forensics from seizing the device to acquiring the data and analyzing evidence. The book covers basic handling, acquisition, and analysis techniques for smartphones and tablets running the most popular operating systems: Android, iOS, Windows Phone, Windows 8, 8.1, and RT, and BlackBerry. The following topics are covered in detail:

Seizing techniques:

Shielding the device: the use of the Faraday bag

Preserving volatile memory and capturing memory dumps

Acquisition techniques:

Physical acquisition (via USB connection)

Logical acquisition via data backups

Over-the-air acquisition and cloud analysis

Evidence discovery and data analysis:

Finding, viewing, and analyzing evidence

Tools for mobile forensics:

Acquisition and analysis tools overview

Tools for acquiring iOS devices

Tools for acquiring Android, BlackBerry, and Windows Phone devices

Tools for discovering and analyzing evidence

It is important to note the bits that this book does not cover. These include:

JTAG acquisition

Chip-off imaging

Disk imaging tools

Tools for acquiring Windows 8 and 8.1 devices

We will not go into any technical detail, such as which hex code at what address means what, or how to calculate UDID, or how to use ADB to break through passcode protection on Android 2.1. We believe these things are meaningless for a law enforcement officer, and should only interest technicians working in an acquisition lab – and this book is not for them.

Chapter 1, Introducing Mobile Forensics, introduces the concept of mobile devices as a source of valuable evidence. The chapter describes what types of evidence are generally available in mobile devices. It also outlines acquisition options depending on whether the reader has access to the actual device, knows the user’s login and password (such as an Apple ID or Google Account password), or has access to the computer that was used to sync the mobile device. This chapter also discusses the various techniques used by suspects to counter forensic efforts, and suggests methods to overcome such efforts. This chapter is essential to understand what, why, and how the expert is trying to achieve when investigating mobile devices. After reading this chapter, you will understand the big picture of mobile forensics and realize that there is no single straightforward path to acquiring mobile evidence, and understand that available acquisition options strongly depend on various factors. You’ll get an idea of how to seize and store mobile devices and how to detect and counter anti-forensic efforts.

Chapter 2, Acquisition Methods Overview, gives an overview of the acquisition methods available for different mobile platforms. With the wide range of mobile devices around, multiple acquisition methods exist. There is no single universal acquisition method available for all models. Some acquisition methods depend on the phone’s lock and encryption status, OS version, type of available storage, and so on. Investigators have to work their way through the investigation to discover what acquisition methods are available for a particular device.

Chapter 3, Acquisition – Approaching Android Devices, discusses the options available for acquiring information from Android devices, providing a detailed outline of physical, logical, and over-the-air acquisition methods for Android smartphones and tablets. In this chapter, the reader will learn what acquisition methods are available for the Android platform, which acquisition techniques are available in what circumstances, and how to choose the appropriate acquisition method for a given device. This chapter also covers one of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence. In this chapter, we discuss exactly how modern smartphones handle deleted data, depending on the operating system (Android, iOS, Windows) and encryption status. We’ll address the differences between internal (eMMC) and external (SD) storage of the device in the context of being able to recover information from unallocated areas.

Chapter 4, Practical Steps to Android Acquisition, discusses the massive amounts of information collected by Google, and explains how to extract this information from Google servers. We’ll be using forensic tools to download data from Google, view it, and examine obtained evidence. The acquisition of Google Accounts can provide a much deeper insight into user activities than what’s available in a single Android smartphone. This chapter offers a detailed discussion and demonstration of various physical acquisition methods available for a wide range of Android devices, including manufacturer-specific low-level service modes (LG, Qualcomm, and Mediatek), using custom recoveries (CWM, TWRP) for dumping the data partition, making NANDroid backups, and using command-line tools such as dd for live imaging the device. In addition, this chapter discusses the issue of encryption and its effect on physical acquisition.

Chapter 5, iOS – Introduction and Physical Acquisition, discusses the benefits and unique features of physical acquisition, and talks about stored passwords and Apple secure storage, the keychain. This chapter provides a detailed compatibility matrix for physical acquisition, discusses which locked devices can be acquired without knowing the correct passcode, and lists forensic tools that offer physical acquisition of Apple iOS devices. It discusses the differences between 32-bit and 64-bit Apple hardware, and explains how to install a jailbreak.

Chapter 6, iOS Logical and Cloud Acquisition, introduces the concept of the logical acquisition of iOS devices. Logical acquisition consists of extracting existing iTunes backups or making the device produce a backup and then extracting it. The differences between encrypted and unencrypted backups are explained, outlining the benefits of producing encrypted backups with a known password over unencrypted one. This chapter outlines the basics of recovering unknown backup passwords. In addition, this chapter provides step-by-step instructions on using Elcomsoft Phone Breaker to extract iOS backups. If the backup is protected with an unknown password, detailed instructions and recommendations on recovering the password are provided. This chapter explains the advantages and applicability of over-the-air acquisition, and demonstrates how to use Elcomsoft Phone Breaker for cloud acquisition. In addition, this chapter discusses the use of binary authentication tokens to bypass an Apple ID and password, as well as two-factor authentication.

Chapter 7, Acquisition – Approaching Windows Phone and Windows 10 Mobile, introduces Windows Phone forensics. It outlines the available methods and approaches to acquiring Windows Phone 8 and 8.1 and Windows 10 Mobile devices. Physical acquisition, bootloader exploits, invasive (advanced) acquisition via JTAG, and chip-off are explained. In this chapter, we discuss the differences in device encryption between generations of the Windows Phone platform, and provide a detailed walkthrough of over-the-air acquisition of Windows mobile devices using Elcomsoft Phone Breaker.

Chapter 8, Acquisition - Approaching Windows 8, 8.1, 10, and RT Tablets, covers major points that make tablet forensics different from the traditional PC and laptop acquisition approach. We’ll cover the new Connected Standby mode replacing traditional Sleep and Hibernate modes of Windows laptops, discuss Secure Boot on various Windows tablet platforms, review UEFI BIOS settings, and learn how to start the tablet from a bootable USB media. We’ll also cover techniques on capturing the content of the device’s RAM and imaging non-removable eMMC media. General acquisition steps for Windows RT devices are also described, as standard Windows recovery media cannot be used with RT devices.

Chapter 9, Acquisition - Approaching BlackBerry, provides an introduction, overview, and in-depth tutorials on acquiring BlackBerry smartphones running legacy (BB OS 1 through 7.1) and modern (BlackBerry 10) versions of the OS. BlackBerry backups and backup passwords (legacy BB OS) are explained. This chapter provides tutorials on how to extract and view legacy BlackBerry backups and recover passwords protecting these backups. The reader will learn how to use Elcomsoft Phone Breaker to decrypt BlackBerry 10 backups and view their content with Elcomsoft Phone Viewer or Oxygen Forensic Suite.

Chapter 10, Dealing with Issues, Obstacles, and Special Cases, covers some of the most challenging aspects of mobile forensics: the ability to recover destroyed evidence and the challenge presented by two-factor authentication. In this chapter, we discuss how exactly modern smartphones handle deleted data depending on the operating system (Android, iOS,