Coutering anti-fore...
 
Notifications
Clear all

Coutering anti-forensics for mobile phones

6 Posts
3 Users
0 Likes
615 Views
(@iamgenius)
Posts: 24
Eminent Member
Topic starter
 

Hello,

I have seen apps which enable you to wipe your smartphone after an SMS is sent or if the smartphone is disconnected from the PC USB port.

For the SMS bit, other than obvious things like using airplane mode or putting the phone in a Faraday bag, how can you fight it?

As for disconnecting from the USB port, is it feasible to suggest to mobile makers to make phones in a certain way so that they only register the disconnection after some delay rather than immediately? The forensic investigator need to remove the phone and take it to the specialized lab for acquisition and analysis. But, in this case if he disconnects the phone it will wipe itself out. Now the phone is connected to the host machine. Can we just acquire an image using the host? But it is the suspect's or the criminal's machine so it is not to be trusted. So? Is it any logical to hack into the machine from another trusted machine and acquire the phone image? This doesn't make sense I think, but I don't know how I thought about. I mean, you never know what it is in the suspect's machine so you should not use it, right? As an experienced forensic investigator, what would one do if he knows about this possibility?

Going back to the SMS trick, you should immediately block the phone from all signals if you know something like this could happen, right?

After being wiped, I don't think there is a reliable way to successfully recover data since all smartphones nowadays use flash storage…

Thanks.

 
Posted : 08/11/2016 1:53 am
(@thesiv)
Posts: 6
Active Member
 

Just turn the device off!

 
Posted : 10/11/2016 12:30 am
(@iamgenius)
Posts: 24
Eminent Member
Topic starter
 

Just turn the device off!

Clever. I honestly haven't thought about it although it is very obvious. Thanks.

Beside obvious ways, I still can't really think of anything. I'm begging for answers.

Thanks.

 
Posted : 11/11/2016 5:07 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Turning the device off isn't the best idea either. What if there is an unknown lock on it and you can't ever start the device again for any kind of data acquisition ?

 
Posted : 11/11/2016 2:18 pm
(@iamgenius)
Posts: 24
Eminent Member
Topic starter
 

Turning the device off isn't the best idea either. What if there is an unknown lock on it and you can't ever start the device again for any kind of data acquisition ?

I thought about that. But, what options do we have? If the device has a lock, then it will most likely be locked anyways when we arrive to the crime scene….That's why I considered turning off the device as a good solution.

I'm trying to think of more technical solutions.

Here is one thing we thought about, but it is a future thing. Maybe we should submit a recommendation to mobile makers so that they design phones in a way that let's register the disconnection only after some time (delay), before which we can connect the phone again to another computer or laptop. Viable?

 
Posted : 11/11/2016 11:57 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

That is not viable, I don't think it would ever happen.

If the device is on and unlocked, do your acquisition right there, in-field. If acquisition is not possible because of lack of in-field equipment, use Faraday bags, external charger and a screen buzzer to keep the phone in unlocked state until you can do the acquisition. Start with a logical acquisition, then with a filesystem dump (if possible) and if you are allowed (!) prepare the phone (modify it's settings) for a later physical acquisition.

If the device is on, but screen locked, I could suggest you who to contact for some help - for example me )

If the device is off, leave it turned off.

There is a huge variety of devices, but the most common golden rule is to keep the device in the state how you got it until any further analysis.

 
Posted : 12/11/2016 12:40 am
Share: