Sunday, 1 April 2012

Smart Phone Forensics: Strip 'em all!

Nowadays it is difficult to choose which gadget to buy because you have so many types in the market. To commit or to become loyal on a certain brand is another issue. Most probably the right choice is to follow the trend.

Nevertheless, you can buy them all if you are financially capable but for the less fortunate they might put some thoughts and considerations. The best decision is to go for the most popular brand name, lots of technical features that it could offer, support contemporary applications (e.g. Facebook and Twitter) and at the end/importantly is the pricing (value for money).

Smart decision, smart phone…so…bye-bye computers and laptops!

It is convenient to carry an ALL IN ONE gadget (for the 'mobile' people).

From the perspective of digital forensics, this ain’t good!

We are just about to ‘ease down’ on computers and hard disks, now emerges smart phone and flash memory.

It is bad. When are the digital forensics people going to relax and have fun with their work!

Sorry mate! No in this particular profession.

So how are we going to process a smart phone. Well, strip em’ all. You gotta know hardware and software. Both ambits. No short cut.

Technically and mainly it is divided into three phases as follows.

1) Interface – you need to have good understanding on its interface. It may have two interfaces but now, most probably it is only USB (older phones are with JTAG connection).

With the packaging, it is another challenge; you must bare it all (knowledge in electronic is a must). Then you can refer to the technical documentations to get around it and perform forensically sound ‘image’ of the smart phone.

Without the image you can’t move on. No logical or physical analysis. Full stop!

2) Analysis of data structure/control – after the first obstacle, if you are successful, next difficult phase is to ‘decode’ everything in the flash memory/image. It is easier to analyze the SIM and SD card (with common file system, i.e. FAT32) but not this one. It has some encryptions in order to protect its intellectual property or made proprietary. Hacking and cracking must be done in forensically manner.

Good luck with this! It is adventurous (just like the Harry Porter movie). My advice is ‘when there's a will there's a way’. But again, it is easier said than done.

Phase 1 and 2 are really important. If not, Phase 1 will be a waste; you are unable to get anything.

3) Developing a tool – once you get the results on the above experiments, gain expertise, then the manual approaches can be turned into ‘best practice’.

Next step is to develop the tool to help you in your work. It is needed and you can process the exhibit faster.

This time around, I will not share with you on the mobile phones forensics literature unless personally requested. There are dozens available on the Internet and if you have subscription on certain databases, it is even easier.

So, we do not have much choice when it comes to smart phones forensics. Need to read for information gatherings on integrated circuits, protocols, operating systems, hardware packaging, interfaces type (and what you can get from it, imaging may not be so straight forward), flash memory technologies (NAND and NOR) and etc.

As a conclusion,
Con: We have a lot of work to do...
Pro: It is doable!