Notifications

Clear all

Attempting to obtain evidence of espionage. No success.

Nexus21 · 2016-08-29T20:18:47Z

I know the following story may sound strange to most, but for arguments sake, just assume I'm right.I have been attempting to perform a forensic examination on a smartphone that has suspected to be bugged by a former employer. I have so far been unsuccessful in obtaining results. My first attempt involved a smaller mom and pop data lab operation. Initially I was told it would cost $600. When I got there I was told to only pay $300 and only IF something was found I would pay the remaining $300. He said things like I hate to see people throwing away money etc. This sounded a little weird to me, as they were already trying to convince me before any examination was performed that I was being paranoid for nothing, and telling me stories of other clients who "thought they had spyware" but turned out not to be the case. He was certain nothing would be found.I initially requested same day service (it was a Thursday). Once I got there I was told next day afternoon. I was hesitant but agreed. Once I got home, I received an email stating that they would need more time with the phone and to call them next Monday.Without warning I returned the next morning to retrieve my device. The guy was obviously distraught, saying "I caught him off guard" and telling him I owed him $300 more. He refused to provide me with any data or tell me what was done, if anything was found etc. I do have that final conversation recorded. Once I had the device back in my possession, I attempted to drain the battery again by turning it on and running apps when I could. On the final boot close to when the battery was drained, it started "optimizing apps". The phone is a Nexus 4 so not so easy to simply remove the battery. I didn't complete the optimizing apps until I went to another examiner, a larger security firm. We let the phone continue optimizing apps before attempting a physical extraction. Upon completion, the phone's time and date was reset, as well, the examiner was unable to perform a physical extraction due to Cellebrite unable to read the hard drive (error 13). While I was at the office of the larger security firm, my examiner called the previous examiner while I was there (I also recorded the call) and he confirmed that a full physical image was obtained. Due to the nature of what's at stake, my suspicion is the initial examiner may have been paid off to tamper with evidence. My questions are #1 If anything such as spy apps or any info was removed, or secure delete was attempted, would this be recoverable? #2 Would the "optimizing apps" on boot have affected anything crucial? Any information or advice would be greatly appreciated.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by passcodeunlock 9 years ago

19 Posts

6 Users

0 Reactions

1,507 Views

RSS

Nexus21

(@nexus21)

Active Member

Joined: 9 years ago

Posts: 9

Topic starter 03/09/2016 11:59 pm

If the device data was tampered, the device is void for forensics analysis.

Well, from the OP report - besides whether the data has been tampered with - there is no proper chain of custody and - besides reportedly *everything* and the contrary of *everything* has been done on that phone, largely by not qualified (or not qualified enough) personnel without any proper documentation, so - even if in reality not a single byte was modified - it would be not acceptable as evidence from a procedural viewpoint in *any* actual legal proceeding.

If I may, the OP story is a bit "strange" (no offense intended) , I am failing to see some connections between the "mom and pop lab" initial choice, the sudden decision to retrieve the device as soon as the lab asked for more time, the attempt to drain the battery (why?), and the suspect that the lab technician has been payed for hiding something.

I mean, IF the lab technician was paid for hiding something, he would have most probably worked all night (if needed) and not attempted to delay the deadline for the report.

On the other hand, a "high priority" or "relevant" case would have excluded from the beginning asking to the "mom and pop" lab, and anyway it is to say the least unusual that the lab on one hand admitted having made a "full physical image" and on the other refused to provide it.

If I get this right, the whole thing was started by the suspect that a "former employer" managed to *somehow* install spying software on a personal device, as P_R_H stated that would be in most countries a criminal offence and something that should have been reported to the Police or however handled professionally after having consulted a lawyer.

jaclaz

I understand its a very strange sounding story to those who haven't been in my shoes.

Although my first choice was a smaller operation, the examiners do have the proper certifications and the lab was featured on the CBC here in Canada for their chip-off forensics work.

No one is, however, immune to being paid off. The employer in question is a multi-national corp and will pay anything to prevent evidence from being obtained.

As far as I can tell there is no difference in the operation of the phone before and after the device was out of my possession so I am fairly confident nothing has been tampered with.

I'm going to have to let the "heat" die down for now and post pone the investigation.

ReplyQuote

RolfGutmann

(@rolfgutmann)

Noble Member

Joined: 10 years ago

Posts: 1185

04/09/2016 6:22 am

I share the view of 'passcodeunlock' as indicators of using Odin seem strong

ReplyQuote

MDCR

(@mdcr)

Reputable Member

Joined: 15 years ago

Posts: 376

04/09/2016 12:25 pm

In the UK for example business assests such as phones, computers etc Businesses have the right to monitor these devices for missue without the need of installing spyware. (Depending on the IT Policy with regards to personal use)

Then BYOD comes along and ruins the day.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

04/09/2016 2:20 pm

Then BYOD comes along and ruins the day.

Yep D , unless some aggressive MDM is implemented (OT, but somehow related)
http//www.forensicfocus.com/Forums/viewtopic/t=10567/

@Nexus21
I understand that your issues are serious, but - again no offence intended - as seen from here (and I do know how it is easy to comment from the outside and without having walked a mile in someone else's shoes ) there is not an apparent correlation between the gravity/seriousness of your suspects/allegations/presumptions and the "lightness" with which you attempted to prove/document them.

jaclaz

ReplyQuote

passcodeunlock

(@passcodeunlock)

Prominent Member

Joined: 9 years ago

Posts: 792

04/09/2016 4:34 pm

I share the view of 'passcodeunlock' as indicators of using Odin seem strong

Isn't there a way to read the exact installation date of the currently installed firmware ?! That would answer some questions.

ReplyQuote

Nexus21

(@nexus21)

Active Member

Joined: 9 years ago

Posts: 9

Topic starter 05/09/2016 2:40 am

I share the view of 'passcodeunlock' as indicators of using Odin seem strong

Isn't there a way to read the exact installation date of the currently installed firmware ?! That would answer some questions.

The million dollar question.

ReplyQuote

passcodeunlock

(@passcodeunlock)

Prominent Member

Joined: 9 years ago

Posts: 792

05/09/2016 2:42 pm

I share the view of 'passcodeunlock' as indicators of using Odin seem strong

Isn't there a way to read the exact installation date of the currently installed firmware ?! That would answer some questions.

The million dollar question.

From the previous posts, I presume you got a Samsung device there. A Samsung technician said that it is possible on some models and firmwares using the official Samsung diagnostics service programs. You should go to an official Samsung service with your device and get more details.

If you succeed getting results, give us feedback on this!

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

05/09/2016 3:17 pm

From the previous posts, I presume you got a Samsung device there. A Samsung technician said that it is possible on some models and firmwares using the official Samsung diagnostics service programs. You should go to an official Samsung service with your device and get more details.

Where OP will be probably told

The phone is a Nexus 4 so not so easy to simply remove the battery.

to go to a LG official service ….
https://en.wikipedia.org/wiki/Nexus_4

jaclaz

ReplyQuote

passcodeunlock

(@passcodeunlock)

Prominent Member

Joined: 9 years ago

Posts: 792

05/09/2016 6:09 pm

@jaclaz you funny, as always )

@Nexus21 just go to an official dedicated Samsung or LG service and ask if their service programs can tell what you need

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
199 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed