±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 34714
New Yesterday: 5 Visitors: 312

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Mobile extractions infecting your investigative platform?

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Mobile extractions infecting your investigative platform?

Post Posted: Mon Nov 28, 2016 5:57 pm

I was recently asked about whether or not you could obtain malware from a mobile extraction and then have it infect the computer you were using to view the data?

In a perfect world I would assume the best practice would be to only use computers for examinations that are not connected to the internet. I would also think that the computer should have the most updated virus protections and to run it against any downloads prior to viewing.

The reason I am asking is that in this case I don't believe any of these best practices are being followed.

In general what are you folks doing AND does anyone know of cases involving malware obtained from a mobile extraction infecting a work station?



Many thanks!
_________________
Ed

I'm not a cellular technology expert, but I did stay at a Holiday Inn Express last night. 

hcso1510
Senior Member
 
 
  

Re: Mobile extractions infecting your investigative platform

Post Posted: Mon Nov 28, 2016 7:48 pm

The majority of malware on phones are OS dependent. So malware on Android wouldn't infect a workstation running Windows. It is possible that a phone could be storing a Windows malware just waiting for sharing to a computer system, but I'd say that's unlikely. Also keep in mind that many mobile forensic tools require that AV be turned off to allow mobile OS attacks to attempt root access.

I've never had a mobile device acquisition infect the workstation.  

troyschnack
Member
 
 
  

Re: Mobile extractions infecting your investigative platform

Post Posted: Tue Nov 29, 2016 9:04 am

Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

passcodeunlock
Senior Member
 
 
  

Re: Mobile extractions infecting your investigative platform

Post Posted: Wed Nov 30, 2016 6:40 am

- passcodeunlock
Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.

Do you ever have issues with dongle detection, out of interest?  

Chris_Ed
Senior Member
 
 
  

Re: Mobile extractions infecting your investigative platform

Post Posted: Wed Nov 30, 2016 6:47 am

I do note from time to time that my AV (Vipre) will block some items when I'm dumping a phone download for a client.

In some cases they appear to be genuine malware attachments to emails etc, but in most cases they are false positives.

I always suspected that perhaps some legitimate mobile apps are coded in such a way that they get flagged by computer AV, but I'm not really sure.  

Adam10541
Senior Member
 
 
  

Re: Mobile extractions infecting your investigative platform?

Post Posted: Wed Nov 30, 2016 9:43 am

- hcso1510

In a perfect world I would assume the best practice would be to only use computers for examinations that are not connected to the internet.

... with a freshly installed OS on a previously wiped disk or just re-imaged from a pristine condition image (... in a perfect world).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Mobile extractions infecting your investigative platform

Post Posted: Wed Nov 30, 2016 12:56 pm

This is a very good question, that illustrate yet another advantage of a stand-alone dedicated extraction solution such as the Cellebrite UFED Touch that was designed to be protected.  

RonS
Senior Member
 
 

Page 1 of 1