Presenter: Amber Schroader, Paraben Corporation
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Transcript
Amber Schroeder: Welcome to our webinar on mobile forensics using device seizure. I am Amber Schroeder, and I’m going to be walking you through device seizure, its capabilities, and the next version, as well as walking you through some investigations or some examination options for you.
First we’re going to walk through Device Seizure 6.80. This is kind of an outline of what I’m going to cover. So we’re going to talk about our supported device types, then I’m going to show you the interface, do some acquisitions, show you some of the analytics, such as sorting, searching, and then finally close out with some reporting options.
Our next area we have is the supported device types. We have it broken down into different categories. We have feature phones, smartphones, GPS devices, and tablets that are running smartphone operating systems. All of these different devices are supported within Device Seizure. We support over 22,000 different devices, and we’re constantly adding to this list, all the time. There’s a variety of both logical and physical support, but the majority of them we’re doing both. It’s built into Device Seizure to be able to support both logical and physical in a single tool.
When we actually work through Device Seizure, I’m going to show you examples working on both an Android device, and then show you the same options working with an iOS device, just so you can see kind of a smartphone option. I’ll bring up some of the feature phones as well.
Some of the things to note with our smartphone support is not only do we support the mainstream tel-com providers and the manufacturers, but we also support the pay-as-you-go devices. One of the helpful hands I found within my own investigations is that in doing those with this, pay-as-you-go of the burn phones that are running Android OS, as an example, is a lot of times I have to go to the provider site and then pull the drivers down from the provider, and do that adjustment of the driver, and then I get support of the device.
There are a lot of different, helpful hints associated with doing mobile device forensics, and a lot of it just comes from trial and error. It’s definitely a frustrating discipline in digital forensics, and we hope that using Device Seizure will help to make that frustration lessen.
In January of 2015, we have a new version of Device Seizure coming out, which is Device Seizure 7. We’re very excited about this new version; it’s an entirely new architecture for the tool, with a lot of new functions and features that we’re thrilled to be able to release out to you as our customer base.
To start with, let me give you just some of the interface looks in Device Seizure 7, kind of as a quick little preview. We have a couple of options when we start up Device Seizure 7. So we’re going to either start an acquisition, import data, open a case, or create a new case. Some of the things to note with DS7 is that it will support both the import of data that is associated with a backup of a smart device to a desktop as well as working with the device itself. So it’s kind of a nice bonus to have both of those functions in there.
As far as the interface goes – and I know not many people say this, and you can kind of tell what a super-geek I am at heart – is we really have a very sexy interface, in the fact that we have the new ribbon design, everything is very clean and easy to locate and navigate, which allows mobile forensics to really go out to a variety of different people that have a variety of different skills. You don’t have to be a super-geek to be able to do mobile forensics. You can just be someone who is getting started, and be able to follow through the process.
So you can see the main interface here, and then in the next interface, you kind of see it broken down, where you see not only a tree view, but you see the details view, and then you see the metadata associated with the same object within the interface. Once Device Seizure 7, or DS7, as it will be called, is launched and released, we will do a new webinar that explains the new tool and walks you through that new design and the new interface that we have.
Now we’ve opened Device Seizure, there are three choices in Device Seizure [indecipherable] when you start the tool. You can do a data acquisition, you can open a case, or you can create a case. In most cases you’re going to do a data acquisition, which means you want to start your acquisition.
When talking about the interface, the first thing that you’re going to work with is the Acquisition Wizard. The Acquisition Wizard is what’s going to allow you to do both a logical and physical acquisition. There are a lot of different choices within the Acquisition Wizard, and I’m going to go through those choices with you.
To get started, what you’re going to see is a list of the different devices that we support. Within this list, you see both logical and physical represented. Device Seizure does do both within the same tool. There’s a couple of areas that you want to pay close attention to. Some of the options, such as this one here, which is CDMA Devices (physical), is support for every CDMA device that has a Qualcomm chip. It is a hidden gem within Device Seizure, because you get such a massive amount of support with that. It is very typical for a CDMA device that is a feature phone to have a Qualcomm chip, and now you have a physical plug-in that will work for all of them.
It’s important that you note this, because it won’t show as a separate list, because it’s generic, based on the chip of the device. One of the advantages you have to this – if those CDMA devices are password-protected, this will allow you to bypass that password. All the password-bypass functions within Device Seizure are built into the individual plug-in. So you get prompted based on the plug-in if you want to bypass the password or not. For most of the physical plug-ins, it is irrelevant to Device Seizure if the device has a password or not.
To get started, what we’re going to do is we’re going to do an Android device. We’re selecting ‘Logical’, we hit ‘Next’, and the first thing that we have come up is information about what we should do with the device. Because we support over 22,000 different devices, you do have instructions that give you helpful hints on how you can actually connect with the device. It’s important to remember that if Windows cannot see the device, neither can Device Seizure.
So within these instructions, it tells you to put the device into debugging mode. The debugging mode will allow Windows to see the device, and it also allows Device Seizure to see the device. There are two different methods of acquisition with Android devices, both with rooting the device or with using a boot loader. We choose to do the option with rooting. The reason we chose that is for safety on the forensic examiner’s side. We wanted to pick a method that was not only something that you could explain and support within a court environment, but also one that maintained the evidence with the best methodology. The problem we found with doing a boot loader methodology is that a lot of times it can actually damage the device and eliminate all of the potential evidence that you have on it by overwriting that data. And we didn’t feel that that risk was worth it for a forensic investigator.
So I’ve got my Android device in my hand, that you can’t see, and I’ve turned it on, and I’ve pulled up the settings, and I have selected it to be in debugging mode. Now, remember, within an Android device, there are two different options as far as based on which firmware version it has. The newer firmware versions, the debugging options are hidden, and so you have to pull up ‘About Phone’, and then you have to tap on the build number until those debugging options appear. That’s a nice little Easter egg that Android has done for us. For the earlier firmware, you can see it directly in the interface.
Now, if I select ‘Next’ here, Device Seizure is going to go out, and it’s going to check the ports, and it’s going to say, “Wait a second – nothing is connected to you.” And the reason for this is I don’t actually have my device physically connected to the computer. I wanted to have you see the dialog first. Once I physically connect the device to the computer, it will appear within the dialog.
So we see… if you could hear it, you could hear the beeping, that Windows is identifying the device, and it is attempting to install the driver associated with the device. Remember, if Windows cannot see it Device Seizure cannot see it. As it goes through and it tries to connect the device to the computer, it’s going to say, “Hey, are you ready to use.” There’s a couple of options with refreshing it. You can select ‘Back’, and then select ‘Next’, and then it will auto-load the check for all the different ports to see if the device comes up.
We now see that the device has come up, and that is a connection to our Samsung Android device. If we hit ‘Next’… I always select ‘Select All’. The reason you have an option to not select certain things is if there is a problem with a particular area. This is a logical, so I’m selecting all. I’m hitting ‘Next’. It’s asking me if I want to unlock the device, which I do. And I hit ‘Next’. Now it’s connecting to the device. As it connects to the device, it’s going to go through and it’s going to load up the root agent associated with the device, and it’s going to start a logical acquisition, which is what it’s doing right now.
We’re going to use a little bit of video magic, and allow the device to do this acquisition, and then I’m going to show it to you once it’s completed.
Once the device has finished acquiring, you’re going to be prompted within the Acquisition Wizard on whether or not you would like to sort the data to move on. I prefer to sort my data before I start doing my analytics of the case, but I’m going to show you how you can do it also through the main interface. So it is your option at the end of the Acquisition Wizard to select Yes or No. If you selected to wait until you opened it, you can get the general overview. We have a tree view, the main viewer, bookmarks, attachments, and your search results, and then the Properties view here, within the interface.
As we expand the tree view, we can see all the different data that we have acquired on our device. Now, if I want to do Fill Sorter, which is one of the analytical features that’s associated with Device Seizure, all I have to do is select this option. It then puts me to a second tab here that is now filling the sorter. What happens in the Fill Sorter process is that we identify the different data based on our header libraries that we have associated with Device Seizure, and then we break those into those logical categories. The reason we do this is it makes it so when you’re going through and reviewing the data, it’s an easy way for you to see very specific information within the case.
There are two different Fill Sorter options, [and we] just had this one complete. The two different Fill Sorters are the basic Fill Sorter, which we just completed, and then the Advanced Sorter. The Advanced Sorter will go through and also pull different information out of other data areas, such as MMS. So now I’m going to run my advanced sorter we saw from the menu bar. All these are also available through the drop-down menu. As it goes through, it’s going to review the data again, check it through the header library, and make sure that nothing was missed. In Device Seizure 7 or DS7, we will be combining these into one massive sorting function within the tool.
So as we allow that to finish, we can see the different categories populate here within the tree view. Our Advanced Sorter is now completed. Now, the time delay in there, lapse, is associated with it does take longer to run the Advanced Sorter than it does to do the initial Fill Sort. The difference is probably between five to ten minutes, and it all really depends on what the device has as far as storage goes. But if you compare the results that you’re getting, we have 113 pages of graphics that we can now look at and review associated with the device. And a lot of those… some of them came from our camera associated with it, but a lot of them came from embedded areas of storage, which is where you see these album covers here, is that extensive carving that has just occurred with the device.
As we go back to our case, we have a couple of different options. We can expand each one of these options simply by clicking on the plus sign next to them. We have it broken down into what it is as far as the actual contacts associated with the device, and then if any were [recovered]. Now, this device was set up specifically for a scenario, so there’s not a ton of deleted, as it’s not a real person’s device. But if it had been a real person, and they had been using it in a normal scenario, then you would see a lot more in the recovered data. Otherwise, you see a lot of this test example items that I have put in here. So the SMS history has items in it, and then it would also have some within the recovered. MMS, that you see as well. Call history.
And then I’m going to go into Installed Apps. Now, within the installed apps, this is a new functionality for Device Seizure 6.80. You can go through and see what type of apps the user had associated with their smartphone. It looks a little different on an iPhone than it does on an Android, but the advantage that you have here is that you can go through and actually review the information they have. Now, we can go through and parse some of this information out, and then it will be broken into those categories as well, where you can see the details associated with them.
Other areas where you can see data is you can see all of their history, associated with internet surfing, and any of the main functions. One of the things to note as well is we do have a record and an acquisition of the entire file system of the device. This is part of the logical acquisition for an Android. For the latest information on what is actually supported on each type of Android device and each type of firmware, you can always reference our website at www.paraben.com, to see that information. It will also show what is supported logically and physically within the device itself. I wanted to point out quickly as I highlight the device, you also see .
Now we’re going to go back into the Acquisition Wizard and take the same device and do a physical acquisition. So I’m going to hit ‘Next’, I’m going to select ‘Android (physical)’ this time. Hit ‘Next’. It gives me the same instructions, telling me about being able to set the device in debugging mode. Again, now it is loading the driver associated with the device to make sure that it sees the device. Remember, if Windows cannot see it, neither can Device Seizure. I’m going to hit ‘Next’. It’s going to ask what it wants to do in the examination. When it does a physical examination, if there are any media cards associated with the device, it will also do a physical acquisition of those device parts as well.
Asks if I want to unlock it, which I do, and then I hit ‘Next’. Very simple process with an Android device. It’s then going to connect to the device and start the acquisition, just as we saw with the logical. Very similar as far as the interface goes, and now it just needs to go through and do the process.
While we’re looking at our unparsed and recovered data, let’s go ahead and look at what our search dialogs and what our searching functions within Device Seizure can do for us.
So if I click on ‘Search’, it pulls up the Search dialog. I can search files, I can search for text, and I can also search by hex. Searching by text – I can type in any simple word, and I can then say I want to match the whole word or I can match the case. I’ve a variety of codecs that I can use as well, and I also support all of Unicode. So you have a lot of information and options available to you when it goes for searching. The basics are being able to search for text. You can also do Boolean expressions, which are iCloud and contacts, iCloud and [amber], and find both of those, or iCloud and/or [amber], or iCloud within five words of [amber]. All of those options are available to you. The easiest way for you to do Boolean expressions is to pull up that page in our extensive help file, and print it off, and use it as a reference for yourself.
So all I have to do with the search is then to type that in and hit ‘Start’. As I have that information come up, we see that this dialog down here, which are my search results, are being populated. I can then pause it… which I need to stop. That’s why it beeped at me – I’m an impatient user. Because I want to immediately look at my results. It’s still searching; we’re going to stop it. We’re going to close it. And then we can go and immediately look at our results down here. So we have a lot of different options. Of course I did search for iCloud, and it is an iOS device. But it will go through and continue to do that. Once we have that information, we can click on that, and it’s going to highlight, within that list, as we saw in our unparsed, recovered data, all the [occurrences] of iCloud. At that point, if I want to, I can add a bookmark, I can call it my iCloud bookmark. It’s going to reference and do a hash for that, and it’s a great way for me to have a point of reference back to later.
Before we finish working with our iOS device, I want to bring up some examples of the app data. We’re constantly adding updates to which apps we’re parsing and which apps we’re not parsing, because those ones that are popular will change all the time. So for example, we do Kik. We can look at our conversations that our suspect is having with emmy, davethecat, funnyordie, etc.
We see the data here, the sender name, the IDs, and then the date and time stamps associated with it. We do that will all the different apps, and we do the same within iOS as we do associate it with Android devices. We’re also adding Blackberry support in DS7, so that you’ll be able to see the apps parsed in Blackberry devices as well.
And again, examples for you. My rule of apps is that we try to look at those based on what are the most popular apps out there, and those are the ones we try to focus on. However, we love input from our customers, so if there are apps that you are starting to see a lot in your cases, you’re welcome to email us in those informations, like “Hey, I’m seeing a lot of [Text Plus or]…” and so we add support for [Text Plus]. And that’s just an example for you. Because there are so many apps out there, it’s not going to be one of those things that we ever support 100% of them, but we do always try to support what’s popular.
NOwe we’re going to go back and do an iPhone physical. Now, I’m going to show you the process within the Acquisition Wizard, but a lot of what you need to do with an iPhone device in order to do a physical acquisition of it, you really have to do on the device, so it’s a little hard to show you in a webinar where you’re watching just the interface of the tool. But I want to show you that that capability exists.
So we’re back in our Acquisition Wizard, we’re going to hit ‘Next’, and now we’re going to select the ‘iPhone/iPad/iTouch (physical)’. We’re going to hit ‘Next’. This is where it’s super important to pay attention and read the instructions. What happens with an iPhone physical device is that we put the device in DFU mode. That allows us a low-level access into the device. So these are the instructions in order to be able to do that. What you’re going to do is you’re going to plug your device into the computer, and as with all iOS devices, as soon as you plug it into a computer, it wants to turn on. So you’re going to do the exact opposite, and you’re going to turn off the device.
Now, you want to make sure that you actually turn it off completely by sliding the power off on the device. Takes a moment for the Apple device to turn off completely. Then your next step is you’re going to hold the Power button down for three seconds, and then as you hold that Power button down, you’re going to hold the Home button – I always call it the iPhone belly button, because it kind of reminded me of that. One of my nephews mentioned that to me, and it cracked me up, so I remember that ever since. So I’m going to hold down the Power button and I’m going to hold down the Home button for ten seconds. First the Power button for three – so one, two, three – and then I’m going to hold the Power button and the Home button down for an additional ten seconds. The Apple logo will appear on the device, and then, as it disappears on the device, you know you’ve held it long enough. Once that happens, you’re going to release the Power button on the device, and you’re going to keep holding the Home button. As you keep holding the Home button, the device is going to load into Windows as in DFU mode.
Once that happens, you can hit ‘Next’ in Device Seizure, and the device will appear in the list. Now, in this case, my device did not appear in the list, which means it is not currently in DFU mode. It’s probably because I’m doing a poor job and multitasking, and trying to place the device in DFU mode while talking in the video. So all you need to do is then hold the Home button and the Power button down together, reset the device, an Apple logo will appear. Now, when I say “reset the device,” you’re not actually damaging any of the data on the device, you’re simply telling it that you’ve failed in DFU mode and you want to try it again. This reminds me all the time of going back and doing palm devices, and having to do a soft reset on them after putting it in a debugging mode.
And then I’m going to repeat this process again until it shows up within the dialog. Once that happens, you’ll go through and follow the exact same process again. So I’m going to go through and place the device in DFU mode.
Well, once I quit multitasking, I was able to place the device in DFU mod e. So as you can see, as I hit the next dialog, we’re having Device Seizure scan the ports, and it sees the device now in DFU mode. We hit ‘Next’, it’ll ask what I would like to acquire, which I want to select all of these items, and I hit ‘Next’ again. As it goes through and does that, I know I’ve been successful in this loading of it, because the Paraben logo will actually appear on my suspect device. Now, we haven’t changed anything in that process. All we’re doing in that process is letting you know that you are indeed in DFU mode, and we are communicating to the device. And that’s our easiest way for us to tell you that.
Now, depending on which version of the device, I have had it where the logo doesn’t come up, the device remains blank, but the dialogs within Device Seizure actually will go through and continue to move forward and refresh, and so I know that I’ve been successful and my acquisition has started. Remember, one of the big keys in doing mobile forensics is to be patient, because you’re working with both a device and you’re working with a computer, trying to get them to cooperate and work together. Any time you have a team like that going on, then it’s going to take a little bit of patience.
Now we’re going to go through and look at generating reports. There’s a lot of different options when you generate a report. You can hit it from the dialog here, or if you go to the File menu, you can get it through the dropdown. In addition to generating report, you can export data outside of the Device Seizure case – so you can do it as XML. You can export it to Link2, which is our free link analysis tool that we offer with Device Seizure. You can also do a general export of all the graphics and multimedia out of the case, and it will put it into a sub-directory, so you have that all independent. Or you can do a batch export based on selections that you have within the case. For right now, we’re going to just look at generating reports.
So we’re going to select ‘Generate Report’. We have everything from an HTML report all the way to a TXT Simple report – or it should be the other way around, because text is the most simple.
The investigative style reports are designed so that people who are less computer-savvy can review the data very easily, and then you can do more complex reports based on that. You can break PDFs into independent pages. My favorite report is the PDF Investigative Report. That’s the one that I typically do with my cases.
So now I’m going to hit ‘Next’. I can add a case number into my report, an evidence number, the company, any device information – I always have that so I can add information on how the device was received – the investigator, the contact details. And then we’ve allowed an ability so you can customize it. So if we want to add a custom logo, we can browse for our custom logo. Big fan of penguins, so we’re going to select penguins as my custom logo. I can then add a custom header. And then I can add a custom footer as well.
Now I get to have my options. So if I include the item that’s only selected to include in report, those would be items that have checkmarks next to them. If I include all the data, it would be everything associated with my device, so those can get very long. I can include the product information, which will have the version number and the build number, whether or not I want to have empty tables, and then of course my bookmarks. And then when I have my bookmarks, I can select to search by name. Now, I did a variety of different bookmarks, from different pictures, all the way through to different text items – whatever works for you.
Then I’m going to select ‘Finish’. It’s going to think for a moment, and then it’s going to generate the report. I’m going to replace my old report. And once I finish, if you have Adobe already installed on your computer, it will automatically launch it. I can scroll down. There’s my penguins, my custom header, my footer, and an index of everything that’s been included in my report. And the nice thing is I can also then go and interact with my report over here, because I marked things such as the Kik messages, and my other bookmarks. Very easy to do. There are a variety of different report options, as I mentioned, and those are the best way for you to finish out a comprehensive case examination using Device Seizure.
I’d like to thank you for joining me for the Device Seizure webinar, of version 6.80. Again, we will have a new version released in January of 2015, of DS7. We will come back and give you a new webinar for that. We do have an open challenge right now, that if you would like to try Device Seizure for 30 days, that we will give you a fully functional license for that time period, so that you can try out the tool.
Again, remember, with mobile forensics, a lot of it is about patience and actually being able to get your device to talk to Windows. That’s prior to having your tool do what it can do for you. Again, I’m Amber Schroeder, and I appreciate you joining me, and I hope that if you have any feedback, that you’re willing to share that with us, at forensics@paraben.com, or if you would like to take us up on our offer for the Device Seizure challenge, you may also email us at that same email address – again, forensics@paraben.com. And we’d be happy to offer you that 30-day license. Thank you.
End of Transcript