±Forensic Focus Partners
|New Today: 3||Overall: 35980|
|New Yesterday: 5||Visitors: 385|
WebinarsBack to top Back to main Skip to menu
6 Keys To Conducting Effective Smartphone Forensic Investigations
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Amber: Welcome to the 6 Keys to Conducting Effective Smartphone Forensic Investigations webinar. I’m Amber Schroader, the CEO of Paraben Corporation, and I’m here to share some of this information with you to make sure that we can help you in your examination process and offer suggestions on setting up your lab.
The six keys are pretty simple. We first have to select a proper tool, we have to be prepared, understand the playing field, look at the apps – because they are the current addiction that’s happening with smartphones, look at the different storage tiers associated with the device, and then last, I always like to say, don’t give up, and look ahead. Smartphone forensics is not the easiest to do, it can be dealing with a lot of high maintenance devices, but it can bring out great rewards with the types of evidence that you can get from these devices.
So when [you] look at selecting a proper tool, this has nothing to do directly with Paraben Corporation so much as it does about making sure that you’re picking the right tools and then ranking those tools. Part of your validation process – it is super important to make sure that you’re cross-validating and you’re not missing anything.
So first, look at all the different tools that you have. Make sure you don’t focus on just one. There is no way that a lab can exist doing smartphone forensics and only have one tool. There’s far too many difference that occur in between the different types of devices out there that [would] require you to make sure that you always examine with more than one. One tool might be really amazing at being able to get recovered data on iOS devices, but is not as great at getting data on Android devices. So you want to make sure that you have tools that fill in the gaps for one another and that you adjust that in your lab to make sure you’re always using more than one.
Look at the overall factors when you’re selecting these tools, such as the firmwares that are supported with it. It’s not necessarily about a specific device so much as what firmwares it supports with it. A lot of times, all you need to do is adjust a driver, and then you can have support for a device that maybe might not be on a supported model list, because there are so many models out there, it’s kind of impossible to keep a really comprehensive supported model list. But it does have the support for that firmware, so make a couple of adjustments in your process, and you’ll still be able to support that device.
The second thing is look at that design of the tool. When we design our tools, we look at it and we say, “Okay, we want to make sure that we’re working at a structured environment.” We want to build from a solid foundation that says we’re doing forensics. We made sure that we were designed for forensics in the beginning, [where we’re] our validation of the data we’re making sure we’re segmenting the data and validating it in its pieces, because a lot of times, with mobile devices in particular, they change. So you want to make sure you understand how that tool was designed to be able to validate the evidence that you’re acquiring. The second thing is make sure that it can adjust for what changes in smartphones. Remember, a new smartphone will come into market every three days. So making sure your tool is modular and structured, so that it can respond to that and have granular updates as needed, is super important to your selections.
When we look at the devices supported – people always come up and they ask me, and they say, “Okay, well, what can you do with Apple devices?” They need to be able to get into these locked Apple devices. Here’s the trick about Apple devices – almost all your tools will do Apple the same way. Apple doesn’t have a lot of creativity that allows you to adjust what your acquisition options are. It really forces you to, what I say, color in the lines. You’re not allowed to be very creative and use different methodologies. You never hear anyone talking about bruting an Apple device. That’s because Apple is restricting what you’re doing. So when you start looking at different tools you want to add into your lab, one of the things you want to look at is more what you’re doing with Android devices.
That’s where you’re going to get a lot of the diversification between your different tool selections, is: What are their methodologies with Androids? Are they doing an ADB? Are they doing a bootloader? Are they doing bruting? What’s their primary method versus their secondary method? Ask these questions of your manufacturer, because that’s going to help you to make sure that you really get that diversification in the tools, so you can fill all the different gaps associated with it.
Last is look at all the included features. When you’re trying to budget into smartphone forensics, it can be quite daunting, and you might look at it and go, “Wooh! This is going to be too expensive for my lab to do it!” There are a lot of different options out there, so don’t get intimidated by that. Look at the features that the tool has. Do they do logical? Do they do physical? Are they incorporating cloud? Because that’s very much an active part of smartphone forensics now. What is the reporting functionality? Because the reporting is of course what shows off all the labor and the work that you put into your examination. So you want to look at all these factors and make sure you’re making a selection based on all of them, not just one of them. Don’t get caught up in hype over one particular feature that a tool might have. Look at the overall scope of the tool, make sure it’s a good fit for your lab.
Now we’re going to talk about being prepared. Being prepared is all about a validation plan. This is really what truly makes digital forensics a science as opposed to an art. And I’ve talked about this for many years, because I really want people to start incorporating the creation of a validation plan in their lab, and then really, part of making it into something that they do on a regular basis.
The first question I always get asked how often do I actually validate. In my lab, I actually do once a quarter. And the reason I choose once a quarter is it’s a very easy measure, and it also makes it so it’s something that … typically you’re going to see your software tools release a new version once a quarter if not every other quarter, depending on the tools you’re using, so this is a really good way to be able to validate it.
Then I look at what my method is. I use baselining devices, I check the different data, and I do it based on firmware, because I think firmware is an easier way to, again, validate my tools as opposed to a particular model. So I think that makes a lot of sense for it. I also make sure I document everything I’m doing, and then I keep a log or a grouping of devices that act as my log, so I can test them every time. It’s not a huge hit in your budget, because you can go out and you can use devices you can buy on some of the refurbish sites, or you can use eBay or whatever works for your particular region. But you do want to keep those baseline devices with the different firmwares, because that way you can always go back and test them, and you know exactly what’s going to be on them.
The last thing I do is I rank my tools. The reason I rank my tools is, that way, when I have an examination come in my lab, and I say, “I’ve got an Android and it’s running version 5.0 firmware,” I know which tool’s going to work best on version 5.0 firmware of an Android device. So that tier system allows me to have that very quick reference chart that says, “Okay, I’m going to use tool X,” or “I’m going to use tool Y.” And I don’t have to go through and revalidate with each exam, I have a set plan that my entire lab can use, so any examiner in my lab can go to the chart, they look it up, and they say, “Oh! I gotta use this tool as my primary, and here’s my secondary,” and you know it based on that system. You do not have to have the same tool and the same tier for every type of device. You can expect one tool to be the top tool for every single phone you’re going to deal with. That’s the whole point of being able to find out which tools might have gaps where they’re not as good at one versus something else. There’s no perfect tool out there. So you want to make sure that you’re keeping that ranking.
Here’s an example of my ranking chart. It’s not super complicated, as you can see. I do a score of 1-10. That’s the easiest way for me to do it. And then I rank my tools. So I did not put the tool names in here, but if I look at Android support, I have Tool 1 ranked a score of eight out of ten. And that scoring system is done based on how well it does on logical support, what type of recovered data it does, how much app recovery it does, and then what kind of reporting structure and functionality they have on the backend, which has a lower overall score associated with it. We see I have Tool 1 ranked eight out of ten, Tool 3 ranked six out of ten, and Tool 2 ranked five out of 10.
So those are my top three tools that I have within my lab, and I say, “Okay, how are they going to do on iOS support?” We see Tool 2 moved up to my top ranking in iOS support. [When I had] data analysis of apps, Tool 1 ranked the highest out of that one. And then I have data presentation and reporting, and again, that’s a really big deal, because that is all of your efforts being put out to whoever you’re producing the data for. Whether it’s someone within a law enforcement or government organization or it’s a private client, you still want to make sure you have good data presentation reporting.
Let’s look at our next area, or our next key, which is understanding the playing field. At this point in smartphone forensics, you’re really looking at what you can do with Apple devices and what you can do with Android devices. A lot of the other devices have kind of gone out of the picture. They’ve officially announced that Windows phone devices are no longer going to have any type of operating system support. [They’ll get] updates to it, but beyond that, they’ve really kind of faded out. We’ve seen that with BlackBerry. We still have BlackBerry, but it’s Android BlackBerry. So we’re still dealing with it in two primary firmwares, two primary operating systems. So we’re really going to focus on those two areas.
When we look at these devices, I’ve talked before, it’s about the firmware. So making sure you understand what the firmware is or what it’s going to actually do as far as affecting your examination is super important. Every smartphone has a base firmware, and those firmwares can then update within different generations based on the hardware of that device. Remember, the firmware actually works in combination with the chip on the phone. Those two things will actually affect your examination. A lot of times, we don’t talk about the chips on the phone and what they’re going to do to our examinations. But keep in mind, you are truly doing embedded system forensics, so a lot of times, your tool is actually talking to the chip first and then dealing with that firmware. But I do all of my ranking, all of my testing based on firmware. So it is important to keep track of them and what’s happening with them.
Here’s a preview of some of the latest firmwares that have come out. We look at Android – these are [our last ones] that came out in the last couple of months, and well, this was all of 2017, and then we started at the end of the year, we typically see the new firmwares release. So as you can see, we have a huge variety of firmwares with Android Nougat. A lot of these, people are like, “Oh, well, there’s nothing older than Lollipop out there, I’m not going to have to worry about it.” What you’re forgetting is all of those burner devices and all of those inexpensive tablets that have become so popular, where you can go buy a tablet device and only spend $30-40 on it. Those are going all the way back to Ice Cream Sandwich as a firmware version. So you want to make sure that you’re keeping up with your testing and your tool validation all the way back into the Ice Cream Sandwich.
I don’t typically go Honeycomb and below. I make sure my tool – I have a tool that supports everything associated with it, most of your tools out there will do that. But my validation starts Ice Cream Sandwich in [10:55], and I make sure I maintain devices and those firmwares to be able to do my validation. I also recommend that labs invest in one single device that comes directly from Google when it comes to Android, because they’re going to get the latest firmwares first. So have a Google Pixel device, or have a Google Nexus device, so that you know that although it’s an expensive device to have on hand, you’re going to be able to test and validate those latest firmwares first, before it starts rolling out to all of the different manufactured devices.
Here’s our summary of Nougat. Nougat had a couple of cool things that came out that are important for us in forensics, and I actually keep these notes as part of what I keep in my lab documentation. So when someone has a device come in for the lab to process, they know some of the highlights associated with that particular firmware, just so that you stay aware of it. Remember, at the end of the day, smartphone forensics is truly a lifestyle choice, and you really have to keep up on it. So I keep track of all the different release notes, and then we keep them in a binder associated with Android in our lab, so we can go back and reference it.
So these are the highlights that we had in our lab notes. The first one is the multi-language texting. We thought this was important, because this tells us that we can have different content in texting than what we were seeing before. So we might have to make sure that our tools are searching for multiple types of languages. So that changed part of my validation plan associated with it.
For an examination, I thought it was important that we can now do two app uses at the same time – so it’s a dual app use. So that was important for my lab, so we had to mention that one. They can reply to text on the fly – that’s important when it comes to seizure. File-based encryption – I have a lot of sad emojis when it comes to encryption in smartphones, which is an entirely different webinar. But that is definitely a big barrier that we’re looking at associated with the changes in smartphones. So we want to make sure that we’re aware that file-based encryption is now supported in this particular firmware.
We have a direct boot of apps, so they don’t have to be put in – you don’t have to enter the password first, before doing an app. That can make a lot of adjustments to whether or not I have a malicious app that can potentially destroy my evidence while I’m in my seizure stage. The active app screening done by the firmware tells me that they’re making some changes in looking for spyware and malware, so that makes a lot of sense to me. If someone calls and wants to hire our lab to scan for that, I know that this is a functionality of Nougat as well, so it helps me see those apps differently.
And then I have a device change as far as connections go, where now we’re starting to move to a USB Type C connection, which means I need to have different hardware in my lab. So I have a huge multi-generation cable [stack], I have filing cabinets full of cables at this point, for doing mobile forensics since 2001. So I just make sure that I have multiple of that cable length, because remember, cables go bad, and if this is becoming a common cable, then I have to be prepared to have it in my lab.
Now we have the newest version of Android, and the biggest thing – because I was waiting for it to roll out – is for me to focus on where it’s changing in the market. There are three primary areas that they decided to put Android Oreo on, which is Android Automotive – so I now know that I can potentially expand the offerings of my lab, and it also means I now have a new mobile device, very large mobile device, that I’m going to be able to go through and be able to work in acquisition. So I’m going to see some changes happen with my tools that I’m going to watch out for and make sure that I’m adding a separate validation for it. It’d be nice to have my lab be able to get a car just for validation, but I’m going to have to make some adjustments in that plan, because it’s not very realistic.
Then we have Android IoT – so the Internet of Things. This is a big change for those, because in theory, our Internet of Things devices [14:46] the projections are going to outnumber our smartphones at five to one or greater. So now I know that they’re creating an Android operating system that’s just designed for those IoT devices, that tells me it’s something I have to watch out for and look differently on my [seizure seed] to make sure that all of my clients are then bringing me the proper devices to be able to do acquisitions on.
And the last one is Android VR or Virtual Reality, where they’re going to put a full operating system inside a headset. Again, I’m adjusting what I’m seizing on my crime scene, and any type of crime scene, whether it’s public or private, it doesn’t matter, it’s still a scene that you’re looking for potential crimes occurring in, I’m going to look for these headsets, because that means I’m going to have to do that type of acquisition. And I’m going to have to wonder, what are my tools supporting when it comes to virtual reality – can they support anything?
So these are good questions to ask, and it tells you you’ve got some extra validation steps that you need to go into. You’ll see as I continue throughout the webinar that each of these keys build on one another, and they really make sure that you’re prepared to be able to do smartphone forensics in general.
Now let’s talk about iOS. Like I mentioned, we always have to color in the lines. There’s not a lot of creativity when it comes to our iOS devices. And it’s the same when we start looking at the different firmwares. Most of 2017, we looked at version 10.0, having different versions of the firmware go out. So this is what we’re looking at for what we’re having as a baseline in our lab. So this goes into my lab notes again.
So we have facial recognition with photo search – that’s important, because that means that it actually has a metadata that it’s linking the different photos together. So it can tell if you have a picture of Amber and how many other pictures of Amber you have, together, and it can actually do a grouping.
We have visual link sharing in iMessage, that’s important because now I know I have a dynamic link in iMessages. So they’re changing the type of data that I can transmit with that particular tool. That’s very popular with Apple devices, so I want to adjust my analysis side of it when I look at my suspect’s evidence.
I have a voicemail transcription – so before, I knew I could get voicemails off the device, I knew I had the recordings and I had to watch for those audio files, but now I have the ability to actually see it as a transcription. That’s helpful to me because now I know I can get searching [17:09] voicemails as well. I still, as a general rule of thumb, always make sure I look for the audio files, because I know I should be listening to those as part of my examination. But this was an important feature, so I made sure we put it in our notes.
We have phone support for VoIP services, so we now have a different tier of devices. So I know that I can act as a VoIP service within my phone calls, so my phone call isn’t meaning the same thing that it was before, so I need to do extra looking into that. And then I have multilingual support in text – we saw that as well in Android, so it makes sense, we have an Apple-Android battle going on, as you saw from my opening graphic – so I know we need to adjust there.
And then the last one is the new IoT integration for controlled home devices. That’s a big deal, because now Apple is getting into that IoT market I mentioned before, we’re going to talk a little, tiny bit about IoT at the very end of the webinar, just to get you prepared for it. But now I know I need to be looking for additional Apple devices that could potentially run in these firmwares.
Last thing with Apple – it’s always about encryption. Apple, for the last couple of years, has really taken a very strong stance on encryption when it comes to digital forensics. So they’ve added additional password options, and have forced the users into it. It’s actually really hard to get through the setup process, because it constantly insists [and says] you really need to lock this device, are you sure you don’t want to lock this device. So all of that constant changing to it is prompting the consumer to do locks in it that they might not naturally do, which is creating a problem for us in digital forensics.
So it has new password options where the password length is much longer than it was before, which we all know that means that it’s going to take longer to have any possibility of breaking it. It has an auto-lock functionality so that the device is locking on its own, without user interaction, and locking usually faster. And the last one, that two-key authentication, does create problems when it comes to being able to break into the device, and it’s just created one more barrier. I always remind people that the nice thing that we have still – it’s not the best thing – is that a lot of times, you can go to the desktop associated with the Apple device and still pull their backup records and get a lot of the data that might be associated with it; when the device might be locked, it doesn’t guarantee that the backup records are. So it’s a good tidbit to make sure you’re looking in both locations.
With iOS 11, we saw some big changes coming out. And obviously, we have big changes associated with the device. They’ve added their Apple Watch 3, which now can act as an independent phone, away from the handset, where their watch wasn’t like that before. We have a new facial recognition that’s gone into the iPhone 10. So these are new barriers that we’re going to have to look at, and again, additional webinar material associated with just those particular changes.
But for a summary on 11, we have organizing files across devices – I put this similar to Dropbox, and the reason for that is we want to know that the device data can exist over more than one. So you can see when you have linked devices associated with Apple, is they can share accounts, they can share iMessages. So it’s nice to know that now we can also share files. So that’s an important characteristic to be watching for.
It can multitask [at the app], so what you see is not what you get. So that’s important to think of when you’re actually doing your acquisition or you have your first interaction with the device.
We have the new Apple pencil. This is a new device, so it’s an accessory device associated with it, but the big question is does it actually have separate data storage with it. It’s important to remember that this is now available and is something you should probably [be seizing] associated with these devices as well.
We have augmented reality supported – so we have augmented reality and virtual reality coming for both devices. That means that we’re going to look for additional types of devices, and we have a new [plane] for data storage that we weren’t really prepared for before. So we have to keep that in mind and make sure we’re looking for it.
And the last one – and I noted this in our list, and people always wonder why I did, but – it’s Scan and Sign. In particular, I noticed this on the private side, when we’re doing investigations, because it means that they can have a legal document on the device that is an actual true legal document, it has the user’s signature associated with it and everything else, and it also can do an OCR functionality.
That changes what I’m searching for in my data, it changes that I might actually be looking for more documents instead of focusing just on particular apps and different things like that, that I’m going to see more documents on the device than I was seeing before.
Our next area, and some of our final keys, is about apps. Apps are currently the new addiction. I love this picture in the fact that I think it really summarizes how people feel about their apps. Because they are as addictive as drugs are, and because of that, they contain a lot of data associated with our devices. 90 per cent of your time associated with your smartphone is spent in an app. Because of that, it’s generating the highest percentage of data associated with your investigation. So that’s one of the first areas I like to look in.
We have two different ways that we look at apps. We have parsing and we have unparsed apps. It’s important to remember that just because something might not be beautiful in the tool that you’re working with, and nicely parsed out, with nice columns, and all the date/timestamps configured for you, that you can go through and actually see a lot of that data in unparsed apps. So we’re going to look at two different areas of those. A parsed app is something that your tool is going through and making beautiful for you. They’re doing all the interpretation of the data for you. Remember that tools might support an app to a particular version, but then the version changes and then the app isn’t supported any more. It’s a constant struggle, because the apps do update even more frequently than the firmwares do. So it is difficult for all of your tool manufacturers to stay on top of that all the time. It doesn’t mean you can’t see that data.
Our first area of data – we’re going to look at Snapchat data, and I actually have examples of multiple types of Snapchat versions, but I want you to see the type of data that you have associated with it. So we have Snapchat, we have our account information associated with it, we have the friends who are snapping, we have received snaps, and then in this case, with this version of the Snapchat app, we also have recovered data. Because at one point in the app, you are able to get deleted data associated with it.
On the first part, that is our user information that we have, but in the bottom screenshot we have there, you see other information such as this status, where it says “Loaded and not viewed” versus “Not viewed and not loaded”. So we have different statuses – it might be “Viewed and loaded”. This is important in particular in Snapchat, where it’s actually eliminating data after you go through and actually view it, and the user side, that that metadata is different for it than you might see in something else. So it really takes a lot of care to understand what that app is doing. So I always go to the app store first, I go, “Okay, let me understand what the app is doing,” because that’s going to explain the data that I’m able to see based on my forensics.
Here’s another example. As we see, our metadata associated with the accounts, we also see different things like sent snaps, we’ve changed versions of Snapchat, our received snaps, and then we have chats. Because I can chat with my snaps. So I’m able to see that textual data associated with it, even if I can’t see my pictures that I might be snapping back and forth.
Another very popular app is Instagram. So I have my account, and you’ll see consistently, in most of the apps, you’re going to be able to see the account information, which of course is very important. It’s going to have their screen name associated with it, etc. And Instagram, I’m also going to see conversations, because I can chat back and forth on Instagram separately, [than] actually doing what I’m publicly posting out there. But I also have cached media. So that cached media is associated with all the different people I follow. So you have examples on the bottom there of some popular content that my identity is following. So this is our Meadow Lark identity. They’re following Justin Timberlake, they’re following Taylor Swift, they’re following bird people – it’s a bird name after all. So all of that information gets put together, and small icons or small thumbnails of those pictures that are in those feeds are then associated and cached, associated with Instagram.
Another popular one, Facebook Messenger. And the reason I have all these examples of these different apps as a reminder to you is I want you to see the diversification that happens in the data. Because you see that each one is keeping different storage mechanisms, it’s grouping the data differently. And that’s important because each app is so unique to one another, it’s what makes them so hard to support in your tools, but the other side of it is it makes it so you have to adjust the way that you’re doing your analytics.
So with Facebook Messenger, I have my current user information – so that will be my account information. And then I have conversations, because it’s primarily a conversation app. So I have group conversations that might occur with two or more people. So I have three plus in those group conversations, and then I have separate, one-on-one conversations, where I’m talking with individuals. And you see that it’s actually broken down and parsed into those different categories, based on the type of conversations that were happening. Then, at the bottom there, you have recovered conversations. My primary tool that I’m using here, which is the E3 platform, we always refer to anything that will be – and I have it in quotes – “deleted” as recovered. Because you don’t have a way to determine that the user actually deleted it, so it’s always referenced as recovered. So you’ll see that over and over again in my screenshots, that I have recovered conversations or recovered data. So I have a group conversation list and I have contacts that were recovered, maybe I didn’t want to be friends on Facebook Messenger with someone else, and so I dropped him out of my contact list, and then they could have been recovered separately.
Tinder – Tinder is a very popular dating app, it’s also a very popular communication app, because you can chat back and forth with different people. So we felt that it was one that you should definitely focus on. So I have my current user data – we’re used to that – but we also now have viewed photos, because it’s a photo-driven app. It’s one of those where if you swipe to the right you find someone attractive; you swipe to the left you don’t find them attractive; and you swipe up you find them super attractive. Because it is a social app for data or getting together with another person.
So I have viewed photos that have been cached together, I have my profile settings, and then I have something called a match list. Now again, I would have gone to the app store if I wasn’t a Tinder user, and I would have said, “Okay, how does this app work?” The match list is important because it works on geolocation. So that means that I’m tying a different level of evidence into it, and I need to make sure that I understand that, because it’s going to tell me where the geographic location was of my suspect when they were matched up with someone. And typically, they’re matched based on a geolocation, and then the app itself says “both of you swiped up or swiped to the right on one another, and so we’ve matched you together.” We then see conversations, and again, you see that recovered data and recovered accounts, which means that’s been data that potentially could have been deleted.
As we look at our match list, we see things such as the person’s name, their gender, when they matched up with my particular person or my identity in this case, and the last time they had activity, data associated with them, and whether or not their profile was viewed. You’ll see a lot of my profiles in this weren’t viewed, because I was generating test data.
Then we also see the conversations associated with it as they go back and forth, and I have the identification of everything that’s picked up. One of the nice things about Tinder is that it caches that so that perhaps you talk to someone and then you don’t talk to them again later, you can still reference back to your original conversation.
Now let’s look at Twitter. Twitter is an interesting one, because you have two different tiers associated with Twitter. You have what might be local on the device, as you see in my example here, and then we’re going to talk about Twitter in the cloud, because you have Twitter keys that are generated on the device that allow you to authenticate into the cloud.
So here’s an example of localized data, where we have not only our information associated with our account, but we also see our picture. If we look to our left, and we kind of see the hierarchy of the Twitter data though, we see that it’s not as organized as some of the others, because we’re starting to go into some of that unparsed app area. The reason is the Twitter app actually changes somewhat frequently, and so you see a lot of that structure change. So my tool can be parsing it in one version, and then the next version it’s not being parsed, because they’ve done changes into it to make it more compatible with the new firmware version that have released, and they haven’t updated it in their particular app or they updated off of the release schedule associated with my forensic tool.
I always like to point out YouTube, and this is one of those examples I give, because this is my son’s YouTube history. It’s a reminder to him that he needs to be safer in his choices on the internet, so he gets to be any type of presentations or webinars that I give. So he is part of the C Generation or the Connected Generation. They’re technically called the Z Generation. I choose C, because they’ve never known life not connected to the internet.
So when you look at my son’s YouTube history, which is stored separately, and he typically uses the YouTube app to be able to do most of his YouTube surfing, he always forgets that I can read all of that data. So when he has things in there like “How to make a fire using only an orange,” “How to fold a shirt in under 2 seconds,” or “How to sneak out at night,” that was the warning sign right there, and “How to get money from your parents,” we can see that he might be heading towards some nefarious activities. And that’s when we go through and we view things. Lucky for him, his mom is a digital forensics expert, and was able to find all this data and reprimand him before he made some bad life choices.
His additional YouTube history, just to show you what it looks like when you look at it in a tool, is very similar to how you’re looking at your internet history.
When you go through and look at these different apps though – and this is an example of how one app can lead to another, in my son’s YouTube history, he had looked up ways to hide text messaging from your parents. When he did that, he went out and chose the particular app to hide that text messaging, and then was able to bring it back in and say, “Okay, hey, this is what I’m going to install on my phone.” What he didn’t think of is that I’m looking at his YouTube history, and I can watch the same videos he did, which told me what I was looking for. So here’s an example of how that works back and forth that we did in a test scenario so we could do a screenshot, because I don’t think you really wanted to read my son’s text messages. Not always my favorite either.
But it’s true that they can actually use encryption. So we have on the right some standard messages that are going back and forth, and the very bottom message there, you see where it’s actually using encryption. It’s important to use this as an example, because if you’re going through and you’re viewing the data, and you see this type of information, it tells you they have some third-party app that is actually encrypting the data. And if you don’t look to notice that behavior change, you might miss something important.
This is why, when I look at my apps, I always like to look at an overall view of it. So this is where we – and this is a tool, this is the E3 platform – we actually rank the apps based on whether or not it’s highly suspect, suspect, or low suspect. And we do that because each app will go through and store the level of access it has in the phone. So at the top here, you’ll see the Google Play Store is highly suspect. The reason is it has almost access to your entire device, when you start looking at its access rights. So that is something that can potentially be highly suspect, because it has a lot of access into it. You’ll see changes in the future where we also mark things, where it also says, “Okay, this has actually been marked at acceptable for the Google Play Store,” as opposed to something that they’re installing that is not sold in the Google Play Store. So there’s another level of protection, you can go through it.
I also like this because it gives me a comprehensive list of all the apps on my device that I’m investigating, and if there’s ones that I might not be familiar with – so if I wasn’t familiar with Snapchat – then I know I need to go look in the app store and find out what that particular app is doing.
Now we have our second [area] – those unparsed apps, where it’s one of those that you go, “Okay, now I have to do all the work as the examiner.” Now, there’s a lot of really great tools out there that do SQLite parsing. That’s what most of your apps are looking like. A lot of times, it’s built into the tool. That’s one of the things that I actually use in my ranking system when I’m validating tools, is they have an option to be able to look at unparsed data associated with it. So I have either a hex view or I have the ability to parse SQLite data. Because I think that’s super important when it comes to smartphones.
So when I look at my data – and I have an example for you of it just in a filtered text view, this is an example of Opera data on an Android – you still see the information you want. So you’re still going to go through and be able to see the URLs they went to, because Opera is an internet browser. I can go through and still recover all of that information associated with it.
Now, I see I have unparsed data, so I can go and look at my tool ranking chart, and say, “Okay, does someone else parse Opera data?” Because I know that my suspect is using Opera, based on this information.
If I want to look at a SQLite database structure, which is what we have with a lot of the different apps, we see here, I’m looking at a cache file associated with Google, so I can go through and open that SQLite database, and I see all the different sub-databases associated with it. This is from inside my tool, but if I don’t have a SQLite tool and I don’t have that capability for me, one of the nice things is Mozilla Firefox has a separate free plugin that you can add in to Firefox, so I could export this SQLite data outside of my tool, and then I could go through and review it in Firefox, and have a free tool. I also like that because I have a secondary validation tool for my SQLite database that I didn’t have to pay for from lab, and I got it free, associated with Firefox.
So when I go through and I have the different – so I had all of my structure, my SQLite, I had a section that had the messages table – so I can go through and see those messages. Now, what you’re looking at is technically unparsed data. So my tool didn’t do the parsing for me. What it did do is it provided me a SQLite parser to be able to see that data. And you see that that information is just as clear as what I had in my parsed data. When I go through and I see the references for SQLite, we’ll see things like the row ID and the row number, and that’s what’s starting to actually link those different databases together.
I have my messages here; my messages linked over to an attachment, because it had a column that said there’s attachments associated with it; I have my row 1, ID 1 associated with it, so I’m linking back over to that same message; and I can go back and forth and look at the value, and then I can say, “Here’s my message, here’s the filename associated with that.” So I have a jpeg, if you look to the far right, with the jpeg, that tells me that’s my attachment associated with it. And then I have the ability to then go and pull that attachment out of the [same/different] database associated with it, which happens [to the attachment in phones].
The data is very relational, there could be tons and tons of different webinars just on SQLite. So this is just an example to remind you that you don’t have to rely 100 per cent on your tool giving you all that information. You have the ability to say, “Okay, here’s my SQLite database. Let me just logically go through and look at how that data is actually linked to one another.”
One of our final keys is we’re going to look at how we are looking at different storage tiers. Those storage tiers are now getting to be where we have not only localized storage, but we have remote storage capabilities, which is where this image is. My husband actually gave me this image, and it’s my favorite way to explain the cloud, because there is no cloud – it’s just someone else’s computer. For almost a year, I actually acted as the cloud to my children, and they had no idea it was happening, and made me doing forensics on my kids so much easier, because their data just checked in locally to me. So you never know who your cloud is going to be, and so that does create a little bit of a barrier for you.
It is important to understand, first off, where your data is located. This is a very easy-to-follow chart that says, “Okay, I’m on iOS, I have on-device storage, it doesn’t support media cards, it does have a SIM card, it does have cloud storage capabilities, it has two levels of cloud storage capabilities because I have traditional cloud and then I have the Apple iCloud. So I know I’m on Apple computers or I’m on someone else’s computer with them. And it does support a desktop backup record.” So I like this chart because it’s an easy way for everyone in the lab to say this is an expectation of the data that we’re going to be getting in, and what we’re supposed to be doing with that data.
When we look at cloud data access from the device, it’s important to understand what your tool capabilities are. This is Paraben’s E3 capabilities. So I have our cloud capabilities associated with it. When you look at cloud capabilities with any of your tools, you need to make sure you understand what they can and cannot do associated with it, and how they actually perceive the cloud. When we go through and we look at the cloud, we look at a hundred per cent of that content that we have access to in their cloud account, and that’s what you get in their image. So it’s not just what was associated with the device, it’s looking at all of their Gmail. It’s supported for both Android and iOS, and you can see there’s a variety of different information. So I can do Facebook, Gmail, Google Drive, Google Location, Twitter, and at the bottom there, the Amazon Echo, because the Amazon Echo is associated with the entire … entirely in the cloud.
When we look at the cloud data, we have very simple things we’re looking for. We’re looking for authentication keys for our device when they access this data in the cloud, and then we’re collecting that authentication key data to be able to parse it out and understand which cloud keys have been generated. Sometimes those cloud keys, as you can see on my screenshot, are generated for multiple types of accounts, and that’s a very important thing for you to pay attention to, because it means that perhaps more than one person will be using this device.
Once we have put in our authentication key, we’re able to see all the cloud accounts that were associated with it, and at this point, we haven’t actually authenticated or talked to the cloud yet. When we hit that bottom button that says ‘Authenticate’ in the bottom right-hand corner, that’s when we actually query out to the cloud, validate that the keys work, and we’re able to look at what data we want to import into it. So our authentication process – I validated, I was successful, the keys are still valid. If they have two-key authentication going, it does not affect that. It is able to automatically authenticate into the device, because this is already a pre-authenticated device. It makes it think it is its smartphone.
And then I’m able to import that data, which is what you see in the tree view to our right, is I have Facebook data, I have Gmail data, and I have Google Drive data. So when I have the Facebook data, as an example, I have not only their profile, I have their friends, their notifications, any attachments they’ve gotten, conversations they receive, their newsfeed, and any of the picture albums associated with it. And this is true for both Android and iOS devices. On Gmail, I have the Inbox, Sent Items, Chats, attachments associated with it, and Google Drive files, because obviously, it’s the primary cloud storage in the file list.
Now, depending on the legality that you have for your particular region, you obviously need to make sure you’re falling within those parameters. But on the other side of it is you got to make sure that from a tool perspective – because we’re a tool manufacturer, we have to make you a tool that has all the capabilities possible, and then you have to use it within the premise of your legal area.
Let’s look at some of the other hidden data associated with smartphones. We have iOS keychain data. iOS keychain data is when you get an encrypted backup or you generated an encrypted backup on your own, you’re able to generate these keychains that are automatically made by Apple. Now, one of the nice things you have is that the user cannot affect these keychains, which means they cannot turn off this particular functionality. So you’re getting this data with every type of Apple device.
So I changed my parameters associated with how we do Apple devices in my lab, so that I do a logical image but then I go to a separate workstation that we have dedicated, with just iTunes on it, and then I do an encrypted backup with a known password over there. When I do that, it generates those keychain files. As you can see from the list here, the keychain files that are generated are quite valuable to you, because you can get their general passwords, and you get the web form data that they’ve filled out and associated with passwords as well, internet passwords, their Wi-Fi access points, and their cryptographic keys. It gives me that extra layer that I might be looking at with my suspect, that says, “Okay, what additional information are they generating?”
We’re into our final section, and I told you, smartphone forensics is probably the most high-maintenance area in digital forensics that you have to deal with, because it is changing so frequently, there are so many different variables that you have with it. So it is really important to not give up, and to make sure that you’re constantly looking ahead, because it is evolving, a lot of times, faster than what we’re able to evolve within our own labs.
I’ve mentioned it a couple of times with both Android and iOS, and the trend into IoT – this is one of the areas of focus we have at Paraben, is making sure that we are supporting you when it comes to the Internet of Things. And as you can see from these charts, there are going to be a lot of them. We’re into the multi-billions of these types of devices, and only a portion of them are going to be cellular-based, so only a part of them are looking at being smartphones. So we want to make sure that you’re prepared for them and what you’re looking at with their data.
We call it the Forensics of Things. So we look at data, anything from the drones that are very popular and being supported out there, that we added support for that back in 2016, early 2016. We added support for the toys, the gaming systems, we added back in 2013. We added the Fitbit and the wearables and the different types of devices. A lot of those you see that we’re adding an IoT support, with every single release that we have with Paraben. So you want to make sure that your tools are prepared for that. It has a slightly different validation process associated with it, because it is evolving even faster than smartphones are, but it’s important that you’re looking for this evidence and making sure you’re capturing it as part of your forensic process.
In the end, I encourage each one of you to email me with any questions that you might have. You also can follow me on Twitter or follow the company on Twitter. We’re @parabencorp or I am @gingerwondermom. I also maintain a blog called Forensic Impact. This is when we go through and [we reveal] some of these emerging topics. We talk a lot about IoT in there and give you ideas of what you should be looking at, and the data [we go through, and we review] an app and give you the fundamentals of what you can recover with each different app. I welcome outside bloggers into the blog as well. It’s not a subscription service, so it’s something open to everyone, and I recommend that you take a look at it at forensic-impact.com. Or there’s a link directly to it on paraben.com.
Thank you very much for joining me on these six keys, and I hope they’re able to help you as you go out and you do more smartphone forensics.
End of Transcript