- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
• The popularity and the mobility
– It can be used as criminal tool anytime at anywhere. – The relatively large storage space of modern phones makes them a useful tool for data theft. An employee could steal sensitive corporate information by uploading it onto their phone.
15
Forensic toolkits
16
Software approach through OS
• Flashing tools
– Memory copying tools specifically targeted to a certain device. – Two sources
• Manufacturers or service centers who use these tools for debugging and sometimes for in field software updates. • Hackers who use these tools for checking and changing device functionality (“解鎖/ 越獄”)
Extracting useful evidence from a damaged phone
Computer Forensics Research Group
Mobile Forensics:
Dr. Junbin Fang
Center for Information Security and Cryptography University of Hong Kong August 2011
Definition (Wikipedia)
• Mobile forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions.. • In this talk, we focus on the digital forensics on mobile phones, especially the smart phones.
4
Status of mobile phone industry
• Much more mobile phone usage
– Worldwide mobile phone usage has increased dramatically in the last decade. – Globally, The number of mobile cellular subscriptions reached 5.3 billion (2011), reported by the International Telecommunication Union (ITU).
(Advanced Cell Phone Forensics, Jonathan Clark MBE)
Where is the evidence
• Three data storage medium
SIM Card 64K-128KB
External Memory Card
Internal Flash Memory
7
The task of Mobile forensics
• To retrieve data from mobile phones as evidence in criminal, civil and even high profile cases.
8
Agenda
• Motivation • Mobile phone forensics – data recovery from internal memory • Mobile phone forensics with JTAG • Demonstration - Extracting useful evidence from a damaged phone • Future works
14
Software approach through OS
• Forensic toolkits + data cable
– Using some logical protocol between a mobile phone and PC. – Usually come with a large bundle of USB data cables for different phone models. – The mobile phone should operate normally
– *Digital evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial.
2
Agenda
• Motivation • Mobile phone forensics – data recovery from internal memory • Mobile phone forensics with JTAG • Demonstration - Extracting useful evidence from a damaged phone • Future works
– Applications on a mobile phone can provide the phone with additional functions and flexible uses.
• Number of launched applications in App Store (iOS): over 500,000, until July, 2011. • Number of launched applications in Android Market: over 250,000, until July, 2011.
• Problems
– – – – Complete memory dump is not ensured! Not support all phones in the market. Specific cables and drivers are needed. The integrity of data may not be guaranteed.
• Much more mobwk.baidu.comle phone production
– Vendors shipped 371.8 million units in Q1 2011, growing 19.8 percent year-over-year. (IDC)
5
Status of mobile phone industry
Smart phone gets smarter and smarter!
6
Crime with Mobile Phone
• The computing power
– Applications which can be used as part of a computer attack will run on a mobile phone. – Penetration tool BackTrack 5 now can run on a lot of smart phones, such as Motorola, Samsung Xperia X10, Nokia N900, to gain access to a Windows XP system. (May 23, 2011)
3
Agenda
• Motivation • Mobile phone forensics – data recovery from internal memory • Mobile phone forensics with JTAG • Demonstration - Extracting useful evidence from a damaged phone • Future works
9
“BASELINE” Evidence
• • • • • • • • • • • •
(Advanced Cell Phone Forensics, Jonathan Clark MBE)
Phone Data, Call Registers & SMS MSISDN, Make, Model, IMEI, SIM S/N. IMSI Last Numbers Dialed (handset) Last numbers Received (handset) Missed calls (handset) Phone Book Contact Numbers (handset) Time & Date of Last Numbers Dialed Time & Date of Last numbers Received Time & Date of Missed calls Text Messages stored on handset Calendar data stored on handset Picture messages (SMS)
• Much more computational power
– 800MHz~1.2 GHz for smart phone processor, typically. – Dual core, even Quad core mobile processor
• Much more mobile phone software/apps
“Enhanced” Level Evidence
• • • • • • • • • • • • • • WAP URLs To do reminders Audio clips Voice memos Images associated with ADNs Emails Word documents FAX Pictures and photo messaging (MMS) Personal information management Video Clips Service profiles Apps Etc.
12
Internal memory acquisition
• Manual acquisition • Software approach through OS – Forensic toolkits + data cables – Flashing tools + data cable • Physical extraction • Utilizing JTAG interface
13
Manual acquisition
• Approach
– Investigate the content of the memory through the UI of the phone. – Photographing the evidences.
• Limitations
– Only data visible to the operating system can be recovered. All data are only available in form of pictures. – Not feasible to work with a large memory phone, says 8G bytes. Automated tools are needed for this task.
