[POC] Long Distance Phone Imaging
TL;DR - Use VirtualHere ( https://www.virtualhere.com/ ) to access a mobile phone over the internet and image it as if it were in the lab.
N.B. I am in no way associated with VirtualHere other than thinking it's cool.
Last year I was introduced to the concept of a dongle server for the lab ( https://bsmuir.kinja.com/building-a-licence-dongle-server-with-a-raspberry-pi-1678930193 ). It's a wonderful thing that means you don't need to get up from your desk to get your EnCase, X-Ways, Cellebrite, etc dongles and they just magically appear on your workstation. In the lab, we'd set up a raspberry pi with two USB hubs to share all of the dongles we used it every day and it worked very well.
I recently discovered that VirtualHere has a server for Android and I got very excited. The visual from their website should show you why
To show you why exactly I got excited
Which means you can do this!
Connect a phone to another phone and image it over 3G
In the garden!
Okay in a field!
A big field!
In the middle of nowhere!
On the Lab end, the client sees the Andriod device as an option
Double-click to add it to the computer
Now using ADB we can see it's connected as you'd expect. Although you can use any tool.
Which means you can open a shell
and browse around, and do whatever you'd normally do
How does it work on the target phone?
At the target, you simply connect it to the server device with a USB cable as normal.
How does the VirtualHere server work?
The server, a phone in my case, is set up with VirtualHere server software and a way of connecting back to your lab. This could be a VPN tunnel or you can use SSL and the reverse client option built into the server.
The server is the magic part that bridges the target phone and your lab. This could work over cellular, WiFi, ethernet, or indeed any channel you have available.
How does it work in the lab?
In the lab, the phone is essentially connected to your workstation as if it were physically there. That means you can use any of your tools as you normally would. You can remotely root the phone, you can remotely break the pin lock, you can remotely everything.
The only problem is the increased latency and slower bandwidth, but I'm sure the developers of your application of choice could take this into account.
There are some of the possible use cases I thought of
- For EDisocvery you could ship a device to the client and simply ask them to plug in power, ethernet, and the mobile device which would allow you to remotely image it. Saving you the hassle of getting to the client and saving the client money.
- For LE you could give them a device (or just install the software on their mobiles) to take into the field. If they come across a mobile phone in the wild you can start giving them useful information from it very quickly.
- You could make a 'mobile phone charger' which in fact allows you to access the device remotely while it's being charged. This could be a wall charger or even one of the portable battery types.
- If you have limited access to the device you could connect to it for a short time and someone in the lab could pull off the key information quickly (or even automatically).
I'm not saying this is a foolproof finished product ready to use in your live cases but I think it's an idea worth exploring. Cellebrite or MSAB or anyone could make a device that automatically remotely connects back to your lab and allows you to extend your reach. (Although if you do make one, can I get one for free?)
What do you think?