Smartphone Forensics: Part 1
If you look a little ways back in the archive of Emagined blogs, you’ll see a three part series that I wrote on mobile computing security several years ago when I was still at High Tower Software. In that series I enumerated and described some of the major security risks involved in mobile computing and predicted that these risks will only become bigger over time. And then more recently I wrote about vulnerabilities in the iPhone, something that I really badly want to purchase for myself, but something about which I am also too nervous (because of all the vulnerabilities in this product) to motivate me to do so.
Given the plethora of risks associated with smartphones, paying attention to and fixing smartphone vulnerabilities is imperative. There is also another side of smartphones, however. It involves some of the methods and techniques that information security professionals often use—forensics methods. Forensics in smartphones has been mostly overlooked in the past, but the almost ubiquitous use of smartphones nowadays has brought this area to the forefront of interest both within and outside of the law enforcement community. Smartphones are now routinely used in the commission of crimes, for example, such as when a drug dealer uses a smartphone to call another to confirm a drug dropoff time and location. Although phone call logs are available from telecom providers, information on individual cell phones themselves is not—thus the need for forensics analysis of smartphones.
Methodology for conducting forensics investigations with conventional computing systems such as PCs is widely agreed upon and used in real-life settings. Forensics investigators record information about the setting in which evidence is being gathered, make image copies of hard drives, label, attest, seal, and hand over to an evidence custodian any evidence that has been gathered, and (usually) use a forensics tool to methodically analyze working copies of hard drives and other evidence (e.g., physical evidence). Hardware tools that quickly image hard drives are widely available. If such tools are not available, a forensics investigator can always use forensics software to duplicate the information on hard drives, even though doing so is much slower. And just about every forensics investigator understands where system binaries and configuration files are located on a conventional computing system as well as where and how perpetrators hide information on the hard drives of these systems, e.g., using slack space to hide pornographic pictures.
The same is not true of smartphones, however. As I have previously said, smartphones have operating systems that more closely resemble “normal” operating systems in mainstream computing systems with every new generation of these products. So, for example, the iPhone’s operating system has become increasingly (but not completely) identical to the Macintosh operating system, DarwinOS. But the hard drive of an iPhone is quite different from a Macintosh hard drive. The first part of the former consists of a 300 MB read-only partition. The second part, the user data partition, is the rest of the storage space—the part of the hard drive in which pictures, email, and other files are stored. Conventional forensics tools do not in general interface with smartphone hard drives, something that usually necessitates buying special software that is often available from vendors who make forensics tools for conventional computing systems. Additionally, making a physical connection between a smartphone and a computer running specialized forensics software requires obtaining a specialized cable, e.g., one that provides an interface between physical ports on the smartphone and a conventional computing system.
In the next of this series of postings we’ll look at forensics for iPhones. Then afterwards we’ll look at forensics for BlackBerry devices and other types of smartphones. Stay tuned.