Mobile forensics he...
 
Notifications
Clear all

Mobile forensics help from the beginning!

3 Posts
3 Users
0 Likes
259 Views
(@dsiddall)
Posts: 4
New Member
Topic starter
 

Hi,

I may be in the wrong forum here - I would appreciate being redirected if so - but I am set to do a mobile forensics examination from scratch on either Android or iPhone (I will find out shortly) and it is an area that has never been covered at University.

Would anybody be able to provide me with some guidance, tips, how to's, recommendations etc. so I am able to perform a successful examination. I am currently looking through Google and YouTube in the hope of finding something!

Any help would be greatly appreciated.

Thank you!

 
Posted : 03/08/2016 4:32 pm
citizen
(@citizen)
Posts: 38
Eminent Member
 

Make sure your first responders keep power to the device and use a faraday bag(Disable the radio if they can). Also, check out Black Bag Technology they have a free tool training that provides some low hanging fruit for both examinations and first response. Depending on *factors* such as state of the device and OS this will dictate a lot of next steps.

 
Posted : 03/08/2016 4:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Generic steps being
1) isolate the device from network (both GSM and Wi-Fi) as best as you can
2) keep the device powered (do not let battery die)
3) image (through either physical extraction if possible or logical one if physical is not possible) the device
4) carry on any forensics analysis on the extracted image and never on the device
5) … unless it is not possible - for *whatever* reasons - to do steps #3 and #4, of course, if you are going to work on the device directly document (video record) any interaction with the device
6) if #3 and #4 are not possible (again for *whatever* reason) best choice (better than #5) would be to do a chip-off extraction, though this will require additional tools and training.

Until you are in the studying or training stage you can ignore step #1 alright, of course, noone is going to remote erase your own test device or alter its contents remotely, and even a forced software update or similar won't do much damage, but you should be aware how it is of relevance in "real" cases.

The issue in a university/training/studying context might be the availability of appropriate hardware and software tools, the sheer minimum hardware is relatively low cost, but what is used in the industry is usually proprietary (please read as expensive) and also mainly used software is Commercial (again most largely used programs not being particularly cheap), though many softwares do have limited versions to try or (example, not any form of recommendation/endorsement) there is a Community Edition of NowSecure tools
https://www.nowsecure.com/forensics/community/
suitable to Android forensics.

The good part of being a student (and by definition with a lmited budget) is that you will need to get familiar with a number of free tools that tend to be more simple/limited in scope (though possibly more complex to use) than what is available commercially, which will allow you as a side effect to get more familiar to the inner workings of th etools and of the devices (as opposed to the "push-button" forensics approach that more advanced tools allow).

jaclaz

 
Posted : 03/08/2016 7:23 pm
Share: