I know the following story may sound strange to most, but for arguments sake, just assume I'm right.
I have been attempting to perform a forensic examination on a smartphone that has suspected to be bugged by a former employer.
I have so far been unsuccessful in obtaining results.
My first attempt involved a smaller mom and pop data lab operation. Initially I was told it would cost $600. When I got there I was told to only pay $300 and only IF something was found I would pay the remaining $300. He said things like I hate to see people throwing away money etc.
This sounded a little weird to me, as they were already trying to convince me before any examination was performed that I was being paranoid for nothing, and telling me stories of other clients who "thought they had spyware" but turned out not to be the case. He was certain nothing would be found.
I initially requested same day service (it was a Thursday). Once I got there I was told next day afternoon. I was hesitant but agreed.
Once I got home, I received an email stating that they would need more time with the phone and to call them next Monday.
Without warning I returned the next morning to retrieve my device. The guy was obviously distraught, saying "I caught him off guard" and telling him I owed him $300 more. He refused to provide me with any data or tell me what was done, if anything was found etc. I do have that final conversation recorded.
Once I had the device back in my possession, I attempted to drain the battery again by turning it on and running apps when I could. On the final boot close to when the battery was drained, it started "optimizing apps". The phone is a Nexus 4 so not so easy to simply remove the battery.
I didn't complete the optimizing apps until I went to another examiner, a larger security firm. We let the phone continue optimizing apps before attempting a physical extraction. Upon completion, the phone's time and date was reset, as well, the examiner was unable to perform a physical extraction due to Cellebrite unable to read the hard drive (error 13).
While I was at the office of the larger security firm, my examiner called the previous examiner while I was there (I also recorded the call) and he confirmed that a full physical image was obtained.
Due to the nature of what's at stake, my suspicion is the initial examiner may have been paid off to tamper with evidence. My questions are
#1 If anything such as spy apps or any info was removed, or secure delete was attempted, would this be recoverable?
#2 Would the "optimizing apps" on boot have affected anything crucial?
Any information or advice would be greatly appreciated.
I know the following story may sound strange to most, but for arguments sake, just assume I'm right.
#1 If anything such as spy apps or any info was removed, or secure delete was attempted, would this be recoverable?
#2 Would the "optimizing apps" on boot have affected anything crucial?
Any information or advice would be greatly appreciated.
How long a story,exciting…..
AFAIK
1. If app is removed, or delete,not recoverable
2.maybe have some affect
and in my experience Cellebrite's PA can analyze the spy apps if they still in the phone.
If this was personal device then a potential criminal act would have been committed, and this should have gone straight to the police./
Personal device which I believe to have been bugged since purchase.
What I suspect is that device itself has been modified, including the recovery partition to re-install the software even on a factory reset. It is doubtful, however, still possible that an attempt to remove evidence was made while in the possession of the first examiner for 24 hrs .
The reason I say doubtful is that they tried to buy another four DAYS worth of time, which is what I suspect would have been time to get it into the hands of the right people for the job to remove the evidence.
I took it to a second examiner and was able to be in the lab with him, however, when attempting to perform a physical extraction, Cellebrite was unable to read the hard drive and we were not able to get anything.
He called the first examiner while I was there, I recorded the conversation. He claimed to have performed a full image extraction, however, refused to provide me the data because I "pulled my phone away".
Its very obvious something fishy was going on.
In the event that something were removed/scrubbed, would the physical extraction be able to determine "when" a file was removed?
Some interesting things to note.
I turned on my phone, under "recent apps" there was a window with the heading "spotter". Green Android logo in the header, box was blank. Upon googling, Spotter appears to be a GPS tracking app I never installed.
Attempting to boot into safe mode I ended up looking over some logs. In the logs I notice another suspicious app "FaceLock.apk" which I certainly didn't install.
This tells me there are in fact hidden apps still on the phone.
What would have caused Cellebrite to be unable to read the data on the drive? Truly mind boggling.
Unless you can provide an error log or error message I could only speculate why it didn't work.
"cannot read phone memory" error# 13
Which version are you using?
I'm not sure I'll have to double check the generated report a little later on. We were able to successfully perform a logical extraction.
Which version are you using?
UFED Physical Analyzer Version 5.2.0.213
I have some presumption about what happened, so please threat it as a presumption and not as a fact!
The dude at the first company tried to make a physical image of the phone. But… he couldn't! Even with the latest UFED version, some physical acquisitions can be done only if the phone is rooted. This is where I presume that things went wild. He tried to auto-root the device without much success, most probably there was support for the model number, but not for your exact firmware version. After this failure, the phone got bricked. The dude panicked and used Odin to put back on the phone a working firmware, so the phone would work at all. The firmware he flashed was probably from an unsafe place and it might contain bloatware or backdoor. And there you are now…
If the device data was tampered, the device is void for forensics analysis.
If the device data was tampered, the device is void for forensics analysis.
Well, from the OP report - besides whether the data has been tampered with - there is no proper chain of custody and - besides reportedly *everything* and the contrary of *everything* has been done on that phone, largely by not qualified (or not qualified enough) personnel without any proper documentation, so - even if in reality not a single byte was modified - it would be not acceptable as evidence from a procedural viewpoint in *any* actual legal proceeding.
If I may, the OP story is a bit "strange" (no offense intended) , I am failing to see some connections between the "mom and pop lab" initial choice, the sudden decision to retrieve the device as soon as the lab asked for more time, the attempt to drain the battery (why?), and the suspect that the lab technician has been payed for hiding something.
I mean, IF the lab technician was paid for hiding something, he would have most probably worked all night (if needed) and not attempted to delay the deadline for the report.
On the other hand, a "high priority" or "relevant" case would have excluded from the beginning asking to the "mom and pop" lab, and anyway it is to say the least unusual that the lab on one hand admitted having made a "full physical image" and on the other refused to provide it.
If I get this right, the whole thing was started by the suspect that a "former employer" managed to *somehow* install spying software on a personal device, as P_R_H stated that would be in most countries a criminal offence and something that should have been reported to the Police or however handled professionally after having consulted a lawyer.
jaclaz