Smartphone Forensics: Part 7
This is the last of a seven-part series on smartphone forensics. The topic is what do with the information that has been copied from smartphones and other mobile devices such as iPods. We’ll assume that the forensics data have been copied to a special handheld device for mobile device forensics (such as one that Guidance Software makes), a PC (ideally one on which a forensics tool is running), or a secure USB drive. (The best forensics procedure is actually to make two copies, one a best evidence copy to be stored in a forensics vault, and the other a working copy for forensics analysis.) One of the risks in making forensics dumps is the possibility that information obtained in this manner might be altered on the computer or device to which it has been copied. The copied data must thus be accessible in read-only mode so that nothing can be changed. Additionally, a hash value (preferably using one of the SHA family of hash algorithms) of the data should be computed and, if possible, compared to the hash value of the data on the original device. Forensics tools make performing all these procedures much easier and more error proof, but experienced forensics investigators can do just about anything without such tools if necessary. For example, it is possible to set a Registry value in Windows XP to prevent the ability to write. To prevent ability to write to the USB drive, use regedt32 or another Registry editor to go to:
Insert the following value:
The next steps are to determine what kind of information has been collected, document that it has been collected, and to identify evidence that is relevant to the case at hand. Again, forensics tools can help considerably, but you can instead use built-in commands such as grep, egrep and fgrep in connection with pipes as well as tools such as Splunk to locate specific words, word combinations, files with certain extensions, and so on. In conventional computing systems perpetrators hide information in a variety of ways—using slack space, marking sectors in which certain information is written as bad, using steganography, and more. To the best of my knowledge, perpetrators are not currently using these information hiding methods in smartphones, although they could hide information in Word and HTML documents if they desired.
Some of the data stored on a smartphone is likely to have been deleted. You may nevertheless be able to recover these data. The trick is using the restore function, which is built into many smartphones. This function will bring back deleted data if they have been backed up.
Some of the types of information on smartphones that may prove of interest to an investigation include:
• Call history—to discover with whom the smartphone owner has talked, when, how long, and so on
• Contacts in the address book
• Information stored in files
• email, IM and SMS message content
• Camera and multimedia images
• Calendar information
• Music (and in some investigations, especially music that might be illegally copied.
It should once again be evident that although many similarities in the processes and procedures for forensics investigations in conventional computing systems and in mobile devices exist, many critical differences also exist. For reasons stated in the first blog entry in this series, the need for forensics in mobile computing devices is going to grow dramatically over time. It is thus imperative that information security professionals learn all they can about this area and prepare well in advance for the inevitable onslaught of cases in which forensics investigations involving these devices is required. At a minimum, you need to create and test mobile device-specific forensics procedures and acquire the necessary hardware and software well in advance of situations in which they will have to be used.