Mobile Device Acqui...
 
Notifications
Clear all

Mobile Device Acquisitions in Enterprise

19 Posts
10 Users
0 Likes
1,025 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

This may be a stupid question, but I'm going to ask. D

How do you handle enterprise mobile device acquisitions? Do you have the user ship their phone to you? Do you send your dongle (we use Oxygen) to them and remote into their box to do the acquisition? Is there an enterprise-level solution that runs an agent (thinking EnCase here) that would allow you to acquire their mobile device if they connected it to their computer?

The situation that I'm in now may require mobile device acquisitions for eDiscovery, and I'm not entirely sure how I'm going to pull these devices should they be requested.

Thanks!

 
Posted : 19/10/2016 8:45 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Do you send your dongle (we use Oxygen) to them and remote into their box to do the acquisition?

Really? Ship the dongle to me for Mobile Device Acquisition in Enterprise. D

 
Posted : 19/10/2016 9:51 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

While I can appreciate the humor, can you offer anything more constructive?

 
Posted : 20/10/2016 12:09 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Hello,

If the smartphones are iPhones and iCloud backup is turned on, then you could use Elcomsoft's PhoneBreaker software to perform the collections without needing to have the physical phones shipped to you.

I have also performed remote collections by having the user join a web meeting (I use Zoom.us) , connect their iPhone to their workstation, and then use iTunes to create a password protected mobile backup of their iPhone.

I will include a copy of FTK Imager on a BitLocker encrypted external USB drive, which I use to create a forensic image of the workstation. Once I receive the external USB drive, I use Cellebrite to process the mobile backup of the iPhone extracted from the FTK imager created forensic image.

If you only need to perform a remote collection of the iPhone and not the employee's workstation, you can still use FTK Imager to create a forensic image of the mobile backup typically located \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

Regards,

Larry

 
Posted : 21/10/2016 3:39 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

We got an enterprise level mobile device acquisition solution for mostly any mobile device, but it is not a public solution and only our LEO customers can use it. If you are LEO, consider to PM me.

 
Posted : 21/10/2016 2:11 pm
(@randy_randerson)
Posts: 24
Eminent Member
 

Jetsetter. Vendors cost too much to do anything other than possibly one phone acquisition and send it to me to do analysis. I fly on average of 2x's a month to varying locations. It is cheaper and more relaxing for the employee to have another employee doing it than some random person who most likely doesn't care what the outcome of the complaint is other than if they'll get paid on time. Its a pro for me because I'm gone for literally a day and get to see a new place I probably wouldn't have gone before. Not to mention those miles add up and between status and miles free vacation trip. Pro for my company because I can provide real-time analysis and results before I even touch down back at our HQ.

 
Posted : 21/10/2016 10:19 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

We do all this as a service for our LE customers without any logistics or traveling needed ) I think the OP asked for a solution like that, no ?!

 
Posted : 21/10/2016 11:52 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Thank you everyone. I've thought about traveling if needed, but if it's an acquisition of a single device, I'm not sure the company would agree to send me out. It's always a possibility. I've also contacted Cellebrite to see if they have any ideas as well. I appreciate everyone's comments…

Thanks!

 
Posted : 24/10/2016 4:30 pm
(@randy_randerson)
Posts: 24
Eminent Member
 

Thank you everyone. I've thought about traveling if needed, but if it's an acquisition of a single device, I'm not sure the company would agree to send me out. It's always a possibility. I've also contacted Cellebrite to see if they have any ideas as well. I appreciate everyone's comments…

Thanks!

So this got long

Don't contact Cellebrite. Contact someone like Ernst and Young or Kroll Cyber. I'm sure they have people on this board. They will be able to provide you with quotes and how quick it could be.

Now if you actually want to do this on your own, then I'll throw some things out there to approach your leadership with.

First, nothing is better than doing the analysis on a device YOU have acquired. You are the sole holder of it, which means the Chain of Custody has less likely to be tainted based on whoever you hired to do the acquisition. So why not have the vendor do the analysis? Well its all about money right? Many of these company's are not going to do this for free (far from it) and will most likely charge you an hourly rate around $200-$400 a hour to do what you are providing for FREE since you are employed by the company.

Now it all depends on where you are flying to. If you are stateside and going from say New York to Boston or New York to LA, it shouldn't be that MUCH more expensive to send you out as opposed to retaining the use of a vendor in that location. Not to mention if you are dumping a phone it is because of something going on. They most likely want those results ASAP. Being able to provide those results same day would increase customer satisfaction and also less on your plate at home since you were able to dedicate a day to this whole process and its done and over with before you even go home for dinner.

You said Cellebrite, so I'll assume you have the Touch device. Not cheap was it? The more of these you do out in the field, the more it is justified to having that device. If you are going to send vendors to do this, why even have it?

And as I mentioned in my last post, you are an employee of your company and the person you are dumping the phone of is most likely from your company. They are most likely having it done because of legal matters. They are stressed. Having someone from the company doing this shows the company cares about them to get this resolved as quickly as possible and puts a human element within this job that you should care about what your results are whether good or bad.

Last but not least, make a shadow bill when you do it. Tell them you want to travel at least ONCE to Proof of Concept and then match that up with whatever quote you were to get. Bill for everything they would have. At the end of it put down how much of it was free because you are employed there. The last one I did a few weeks back would have been close to $5k in services rendered if they went with a vendor. Putting that number out there ALWAYS gets the attention of your finance people.

 
Posted : 24/10/2016 5:18 pm
(@belkasoft)
Posts: 169
Estimable Member
 

If the smartphones are iPhones and iCloud backup is turned on, then you could use Elcomsoft's PhoneBreaker software to perform the collections without needing to have the physical phones shipped to you.

You can also use free Belkasoft Acquisition Tool at https://belkasoft.com/bat for cloud downloading (as well as mobile device acquisition).

 
Posted : 24/10/2016 8:24 pm
Page 1 / 2
Share: