±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35413
New Yesterday: 5 Visitors: 156

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Mobile forensics after factory reset

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Alistair
Member
 

Mobile forensics after factory reset

Post Posted: May 03, 13 16:29

Hello all,

so first of all let me introduce myself. My name is Alistair and I am currently doing research on BYOD (Bring your own device) implementation in enterprise environment and the security associated with these policies. My main focus is on Mobile Device Management (MDM) software that enable BYOD practices to be implemented throughout the enterprise.
Most MDM software profess the ability to secure company assets residing on the smartphone or tablet device by issuing a remote wipe (full or selective) and therefore making any sensitive information on the device unrecoverable. I am researching the remote wipe concept and analyzing if it's secure enough for business or not.

Now that we got the introduction out of the way, I want to say first that this forum is amazing. I have been a lurker for a while and the amount of expertise and community support here is incredible, really great job with bringing the forensics community together. Now, I have just begun looking into mobile forensics so bear with me if some of what I say is incorrect.

So, from my research I know that the iPhone (starting with 3GS) provides hardware encryption and a remote wipe basically destroys the encryption keys making the data recovered pretty much useless. I have looked everywhere and, presently, there seems to be no way to recover the hardware encryption keys short of plugging in some complex device into the CPU and extracting them (which would be a lot of manual work for your average person). Therefore, I can safely say that Apple has implemented the security aspect of mobile devices in an enterprise environment impeccably.

Now, with Android devices, there is a lot of fragmentation, many devices use the open source Android platform and implement it in various ways. Also all Android devices use NAND flash as internal storage so erasing is a complicated task (writing is done on a page basis and erasing is done on a block basis). NAND flash calls the garbage collector when the entire block is marked as unused and then proceeds to do a block erase. If one page on that block is still being used, all unused pages on that block will be recoverable.

So my question is two fold, first if anybody has any BYOD experience in the company they work for, would a remote wipe executed on an Android device be sufficient? (Given the restrictions flash storage imposes, I highly doubt this). Second, I have dumped the physical image of an Android tablet after remotely wiping it (by rooting it and issuing a 'dd' command to dump the entire mmcblk0 partition), what tools do you use or would be ideal for file carving on this raw image file?

If you have read this far, thanks for taking the time!

All help is greatly appreciated.  
 
  

jaclaz
Senior Member
 

Re: Mobile forensics after factory reset

Post Posted: May 03, 13 17:40

Hallo Alistair welcome to the board Smile .

I have no experience with the specific matter of your request but - if I may - can I ask a couple of questions about BYOD?

If I get it right Question , the scope of the research is to find a way to "plant" in my personally owned device *something* (or access something like the remote iPhone wiping) that allows my employer (read as "the enterprise" or the wacky IT guy in the enterprise) - at his will and without my consent - to completely wipe my smartphone or tablet contents (including each and every of my personal data, contacts, messages and what not)?

Is this what MDM software does (or is intended to do)? Shocked

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Alistair
Member
 

Re: Mobile forensics after factory reset

Post Posted: May 03, 13 17:44

Hello jaclaz,

indeed this is the case. Of course the remote wiping would occur if you lost the device or someone stole it. But let's say you lost it, the remote wipe occurred, then you found out. Say goodbye to all your stuff on it.

Some MDM companies also say they have the ability to selectively wipe only company data but I am not too sure if that works. But yeah, in summary, the company can remotely wipe your device if you enrolled it in their BYOD policy. Very Happy  
 
  

Patrick4n6
Senior Member
 

Re: Mobile forensics after factory reset

Post Posted: May 03, 13 23:26

You must understand that privacy is different in the US Jaclaz, and many employees would sacrifice a little privacy on their personal device for the convenience. (I am not one of those people, but then I come from a different culture to the US.)

A well done MDM will create a separate container for all corporate information, and allow the employer to gather or wipe that data. Ideally you don't ever access the user's non-corporate data. How well that's implemented remains to be seen.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

Alistair
Member
 

Re: Mobile forensics after factory reset

Post Posted: May 04, 13 02:04

Indeed that is what the top MDM providers are aiming to do, but coming back to my question, is a secure erase on an Android device possible? Most remote wipe procedures are just a push notification to call the "reset to factory settings" command but I have demonstrable proof that it is not enough (dd the partitions you are interested in, carve them and retrieve deleted files).

Actually what I want to know is, is there a way to securely wipe an Android device without wearing out the flash storage. For example, a call to the native NAND flash secure erase command (I think it differs from brand to brand but an ATA-Secure erase wipes out the flash back to factory settings from what I know).

Any experienced forensics experts care to shed some light on this?

Thanks!  
 
  

trewmte
Senior Member
 

Re: Mobile forensics after factory reset

Post Posted: May 04, 13 06:28

Alister

Some links:

Windows version of How to wipe a BlackBerry device remotely
support.microsoft.com/kb/2575026

Blackberry version of How to set a Remote Wipe on Blackberry Enterprise Express server
supportforums.blackber...d-p/554158

Also read this
supportforums.blackber...d-p/529618

Here is a case of unintended remote wiping - Samsung smartphones vulnerable to remote data wipe
news.cnet.com/8301-100...ta-wipe/#!

Also, how would remote wiping work in the absence of wireless coverage?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

jaclaz
Senior Member
 

Re: Mobile forensics after factory reset

Post Posted: May 04, 13 10:18

- Patrick4n6
You must understand that privacy is different in the US Jaclaz, and many employees would sacrifice a little privacy on their personal device for the convenience. (I am not one of those people, but then I come from a different culture to the US.)

This has nothing to do with "privacy", it has to do with integrity of personal data and to the possibility that a third party (which may or may not be reliable/fair/etc.) has the possibility to wipe them without my consent.
We already had a few known "real life case" with remote "iThings" wiped (and in that case the "mess" was caused by the good Apple guys that were tricked by a hacker):
www.emptyage.com/post/...acked-hard
I.e. the issue is not with the "Enterprise" having access to "my" personal data on "my" device (access that I can prevent anyway) but that there can be a mechanism to completely wipe "my" device (including "my" personal data) accessible/triggerable by someone that provides no particular guarantee of "security", nor "reliability" and that can do that without my consent, and remotely.

- Patrick4n6

A well done MDM will create a separate container for all corporate information, and allow the employer to gather or wipe that data. Ideally you don't ever access the user's non-corporate data. How well that's implemented remains to be seen.

Which would be perfectly fine with me. Smile
Enterprise can wipe "their" data from my device.
I can wipe "my" data from my device.
Everyone wipes their own stuff and is happy.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next