[Maarten Van Horenbeeck] [Information Security] [Resources]
Mobile Forensics and the Trust Factor
When performing forensic analysis of a mobile device, we generally want to assess whether a certain incident took place, or whether the user of the mobile was involved in a type of policy breach. In this paper I investigate as to what degree data found on a mobile device can actually be attributed to the owner of the device.
In the forensic report, an investigator is expected to provide some detail on the amount of confidence he has in his information. In general, a court of law is looking for a link between a certain suspect and data found on a mobile device. In order to correctly assess this confidence level, a forensic analyst needs to be aware of the different methods that can be used to manipulate data on the average mobile device.
These include RF, Bluetooth and infrared transmission, the functionality set supported through a data cable and the authentication/authorization measures available on mobile devices. The paper tries to answer which of these vectors are significant and how a forensic investigator should take them into account when preparing a forensic report.
Keywords: Forensics; Evidence Law; Information Security
Introduction: the purpose of a forensic investigation
The process of mobile forensics is always started with a specific purpose in mind. NIST (2007, pp. 53) describes the two most common such investigations as being:
In these cases, the purpose of a forensic investigation can be established as either being identifying the offender of a case, or establishing evidence to build a case against the offender. Both are very common cases from a law enforcement perspective.
- where the incident has occurred, but the identity of the offender is unknown;
- where offender and the incident are both known.
However, a number of other situations may apply. In the case of kidnapping, for example, information may need to be gathered that assists in identifying the location of the victim. Due to the lack of traceability of international information technology crime, most forensic investigations are also started to merely identify the scope of an attack instead of the actual attacker, or to assess liability of an organization, for example in credit card theft.
From these examples, it is clear that the acceptability of evidence quite differs in each of these situations. During incident response, depending on what is at stake, the decision may be made by the lead investigator that the information at stake is too valuable to follow the longer procedures that should be used when the case will be taken to court. This is especially the case when it seems unlikely that the incident will result in prosecution.
Acceptability constraints under evidence law
For the purpose of this paper, we will briefly review US evidence law regarding the acceptability of evidence within a federal courtroom context. It is important to note that individual US states may have different law, which can vary widely.
Two law statements of the Federal Rules of Evidence specifically apply to the use of forensic data. Most important perhaps is article XII, dealing with the contents of writings, recordings and photographs. This law requires all evidence provided to be .original. or a duplicate. Some very broad requirements are placed on such duplicate: there must not be .question to the authenticity of the original. or if it .would be unfair to admit the duplicate in lieu of the original. (Cornell, 2007).
In its 2000 guidelines, the Federal Bureau of Investigation translated .duplicate digital evidence. as being .an accurate digital reproduction of all data objects contained on an original physical item. (FBI, 1999). No specific procedures are provided to gather such evidence, but net result of this law is that one needs to be able to prove that the data is in fact an accurate reproduction.
This is where article VII of US evidence law becomes important. It deals with the acceptance of opinions and expert testimony. The article specifies the following requirements with regards to expert testimony in a case: .a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.. (Cornell, 2007). As such, an expert needs to peruse scientific methods during his investigation, and apply them reliable to the case at hand.
These same rules of evidence also clarify the value attributed to such testimony. Rule 704 states that such testimony is not objectionable .because it embraces an ultimate issue to be decided by the trier of the fact. (Cornell, 2007). As such, expert testimony, how scientifically supported it may be, can never by itself decide the case. Ultimately, the judge or jury are responsible for deciding the outcome.
Refuge exists for any party that disagrees with the testimony. The rules of evidence allow one to contest the admissibility of such evidence by directly contesting the requirements cited above. In addition, it often occurs that testimony is criticized by the other party through the introduction of a second expert that refutes the earlier testimony. This can be done by identifying the forensic investigation as having been performed in a way that cannot be scientifically supported, but also through a well-known loophole. Can the expert prove that it was in fact the accused who was using the mobile device when the actions described in testimony were undertaken? One of the first times this was used as a defensive measure was during the case Ohio vs. Cook, where the defendant disputed the assumed creator of certain files (Meyers & Rogers, 2004).
Proving user involvement
It remains an open question as to how an expert can prove that a specific user was involved in certain actions that have taken place on a computer. Recent advances in authentication technology most definitely have had an impact. For examples, e-mails that are digitally signed using X.509 certificate technology can with relative certainty be linked to a specific person. In 2000, the so-called e-Sign, or Electronic Signatures in Global and National Commerce act gave similar validity to electronic signatures as to a handwritten one (FTC, 2001) . In addition, the deployment of many basic information security measures, such as automated logouts when a machine has not been in use for five minutes can support the fact that a certain user was involved in an action.
One more important feature of most operating systems today is verbosity of logging. Operating systems now retain significant amounts of information on logon attempts and file system changes. This output can be used by a forensic investigator to assess whether or not a specific user made certain changes, and perhaps even prove whether that user was in fact using the machine. During regular system use, users may be required to re-authenticate regularly to, for example, access their e-mail. If such timeframe correlates with the time that a certain change was made, that change could be positively linked to a specific user.
Entry pathways and evidence corruption
Most mobile devices have less processing power than average stationary, wired devices. This is reflected both in processor and memory capacity. Even some of the more advanced, recent SmartPhones have relatively low technical specifications. The recent Sony Ericsson P990i phone, which started sales in summer 2006, is reported to ship with a 208 MHz processor and 64 megabytes memory, of which only 15 remains available for end-user application. In addition, it has 80 megabytes of embedded storage (Jerz, 2006). These specifications, while impressive for a phone, are still limited in comparison to desktop computers, where 512 memory of memory is no longer an exception.
Nevertheless, these devices have started supporting a wide set of entry points, comparable to that of today's desktop PCs. This specific phone, for example, supports the following external means of connectivity:
In addition to being appreciated functionality, each of these means of remote connectivity could be a potential entry point to the device. Each of them increases the risk that a third party used the machine instead of the user who actually owns it. Forensic investigators should be aware of the risk posed by these services, and additional investigation
The malicious code threat has increased in line with increasing functionality within today's application software. Infection of end user machines no longer occurs purely through social engineering, in which a file is sent to an unsuspecting end user, but has gradually moved towards exploiting vulnerabilities in applications commonly used to access internet resources. In 2002, a vulnerability was found in the way the Outlook Express e-mail client interprets S/MIME signed e-mails which could allow a remote attacker to craft a malicious message that would execute arbitrary code upon it being opened (Microsoft, 2002).
More recently, a number of vulnerabilities were identified in parsers for common image files such as the Windows Metafile format and Animated Cursor files (Liston, 2007). These last two vulnerabilities proved interesting as they were located in the base operating system and not so much in an end-user application.
While none of them affected mobile devices, many of the operating systems used by these smartphones are very similar. At least one vulnerability has been identified in the Internet Explorer version shipping with Windows Mobile, the Microsoft operating system for mobile phones, which caused the device to crash upon visiting a malicious page (Trend Micro, 2007).
In addition, new technologies such as MMS allow the transfer of malicious code by means of the UMTS link of the phone. The Commwarrior worm, a mobile worm that spreads only on Nokia Series 60 phones, spread through the use of MMS messages. Once a mobile phone was infected, it transmitted a copy of its code to at least one user in the contact list of the user (Symantec, 2005). While the recipient still needed to confirm whether he wanted to execute the code, it is likely he would do so, as the code was sent from a trusted source.
Bluetooth is a technology used in Personal Area Networks. Such networks allow the transmission of data between devices under control of the same owner. It is commonly used for wireless connection between a cell phone and a hands free kit, or to connect office equipment to desktop machines.
Security within Bluetooth is highly dependent on so-called .pairing., in which both devices attempting to connect require a passkey. The devices then generate a link key based on this passkey which will be used for future connections (Wong, Stajano & Clulow, 2005). In addition, users can place their Bluetooth enabled device in either discoverable or non-discoverable mode (Bluetooth, 2007). Devices can be used to scan the network for available partners, and non-discoverable devices will not show up in such list. Devices with which a previous pairing has existed, however, will still be able to connect directly based on the cached hardware address.
Several weaknesses have however been found in the Bluetooth authentication mechanism. Even when the data transferred over Bluetooth is encrypted, the hardware addresses are not. This allows an attacker to re-use them and spoof traffic as being from another, more trusted device. In addition, while Bluetooth is designed for use within a Personal Area Network, the use of specific antennas has allowed devices to be accessed from much larger distances (Schneier, 2005).
In addition, the security of the actual Bluetooth implementation in phones has been found to be deficient in a number of cases. In 2003, Laurie reported some major issues that could allow a remote Bluetooth user to gather data from Nokia mobile phones through Bluetooth. With some models, these attacks even applied to mobiles that were placed in non-discoverable mode. The vulnerability even allowed anonymous, remote users to send SMS messages from the phone (Laurie, 2003).
Some of today's smartphones allow direct IP connectivity over an 802.11 compatible wireless interface. While this enables the ability of an organization to save costs, by allowing direct access to the local network instead of having to use the providers UMTS or GPRS connectivity, and allows higher performance (up to 54 mbps with 802.11g technology), this functionality also increases the risk posed to those devices.
In April of 2007, Sipera, a communications security firm, identified a buffer overflow vulnerability in the SCH-i730 WiFi-enabled smartphone. In this case, the vulnerability was only exploited to the level of denying the calling features and slowing down the phone's operating system. However, these are the same type of vulnerabilities that in other circumstances could lead to the execution of arbitrary code (Sipera, 2007).
The use of wireless also exposes the device to a large set of network based vulnerabilities. Through rogue access point attacks, a man-in-the-middle attack could be initiated against the device with relatively less expensive equipment than would be required for a similar attack using the regular mobile phone network. Relatively lower end hardware as compared to desktop devices could force the device to default to less secure wireless encryption protocols such as the weakened RC4 implemented in WEP.
Identifying the source of change
In a computer forensic investigation, when physical access to a machine is limited, a compromise of a server generally leaves at least some sort of trace. While upon gaining root, or administrator- access, an attacker could theoretically be capable of removing all traces identifying his attack, this is generally not successful. Logs of entry may be stored remotely, preventing the attacker from removing them, and even removed data can often be recovered from the device.
This generally does not apply to mobile devices. Due to limited space and resources, many of the applications running do not store audit logs. As such, forensic investigators need to make do with the data on the device, without having much information available on how that information got there. For example, an attacker accessing the device through Bluetooth and introducing an SMS message, incriminating its owner, can usually do so without this message appearing in a non-standard way on the device.
A second issue is the anonymity of a wireless attacker. When an attack originates from a public IP address, it can generally be traced back to the originating host. With sufficient cross-jurisdictional support, law enforcement could trace an attack back to its origin. Wireless attacks physically originate within the same .Local Area Network. as the victim, and as such are even less likely to be traced back to a person. While a wireless signal can generally be traced using triangulation, this is only possible while the attack is ongoing. As such, such effort would be spent in vain during a forensic investigation.
Data cables and modification of phone firmware
An underestimated form of access to a mobile phone is through use of a data cable. Many phones nowadays are accompanied by such cable, enabling users to connect to their phone using a software package, in order to download or upload ringtones, text messages and even software programs.
Such cables also have a different use. For long, users have wished to customize their mobile devices. Initially this was often done through changing the exterior of the phone, or the ringtone. In more recent software, users have been able to change assignment of function keys (NIST, 2007, pp.41). In those cases where a forensic investigator would need to resort to accessing the phone using its graphical user interface, this may complicate matters.
For some time now, there has also been an active community involved in so-called .phone modding.. Not officially supported by most mobile phone vendors, these techniques consists of altering the firmware on a mobile device to add functionality. Such flashing can add games to the phone or make slight behavioural changes to for example the alarm clock.
Flashing can prove a significant issue for a forensic investigator. While generally, one is interested in acquiring the data on the mobile, such as text messages and the dialled numbers list, and not the software that is stored in ROM, this software does guide how data is interpreted. As such, within the constraints the mobile device environment poses, it would technically be possible to embed basic anti-forensics measures onto the firmware. What makes flashing a powerful tool to hide potential evidence is the fact that it removes predictability of the software. While a forensic investigation should be based on scientifically valid principles and procedures, sometimes an investigator needs to presume certain things in order to be able to investigate. When a phone issues a low battery alert, by beeping or a screen message, an investigator will generally supply power. If the origin of such message cannot be trusted, serious issues are likely to arise.
The concept of flashing the phone's has also been used in law enforcement during criminal investigations. In 2006, the Seattle Times reported how the American Federal Bureau of Investigation remotely updated the firmware of cell phones belonging to members of a crime syndicate to relay all communications (Coughlin, 2006).
Evidence integrity during transfer
Once confiscated, an attacker is likely to be aware that the data on his device is at risk. As such, he might undertake action to prevent it from being read by investigators. While the technological tools to perform such action remotely may not have been easy to acquire in the past, with increasing use of these mobile devices, the likelihood of them actually being used is increasing.
In addition, the International Organisation on Computer Evidence carries the important premise that methodologies used in a forensic investigation should be able to .instil confidence in the integrity of evidence. (FBI, 1999b). If it can be shown that evidence has changed while under the supervision of a forensic investigator, this could be used to discredit that same evidence and prevent it from being used to build a case.
As such, there is a requirement to ensure that each of the above entry points become unusable upon acquisition of the evidence. A number of methods have been developed to allow an investigator to do so. A common method is the use of shielding to isolate the device from any RF, Bluetooth or Infrared access. This method is often implemented through the use of an RF shielding bag. Another way to block functionality is through the use of an RF jammer. However, this may be illegal in some jurisdictions (Harrington, 2007), and is generally less effective due to the use of very different frequencies for the different functionalities - such as 2.4 or 5 Ghz for WiFi access, and 900Mhz for GSM.
Future issues in Mobile Forensics
A major issue in computer forensics has been the still-present issue of whether or not to shut a machine down and acquire all information by imaging the disks, thereby accessing information at rest, or leaving the machine on and also acquiring volatile information such as the contents of random access memory. However, such volatile information needs to be read through the operating system, which could be backdoored using so-called rootkits, thereby potentially compromising the results.
Recent advances in computer forensics have included the use of a combination of hardware and software to acquire the contents of RAM with much higher integrity. This type of forensics is especially important to assess whether or not a machine is in fact compromised. Malicious code may be executed through the shellcode part of a buffer overflow attack and kept active in memory, without it actually being installed on any storage devices.
However, as recently shown by Rutkowska, even hardware based acquisition can not always be trusted. With some processors, notably AMD, there is a difference in how the CPU reads from memory as opposed to any connected I/O devices. By using such subtle differences in behaviour, different data can be presented to the system as to the hardware forensic reader device (Rutkowska, 2007).
These very issues are highly applicable to mobile phones. On many mobile systems, some forensically interesting data is located in volatile memory space. As this data will be lost when the battery is removed and the device is fully turned off, it needs to be acquired while operational. Tools generally need to peruse the existing protocols developed by the phone's designers to access information (NIST, 2007, p.20). As one can currently only assume that the operating system of the phone has not been modified, this is essentially a major trust issue.
Dealing with the trust issue
As a forensic investigator, the most important thing is to be aware of the many issues that may affect the reliability of the evidence presented. In the United States, no particular requirements are posed on forensic experts for them to be allowed to provide testimony in a court of law. Nevertheless, evidence can always be refuted by superior evidence. As such, the result of a forensic investigation is likely to be contested by the party whose case is deteriorated by its result. Forensic investigators should thus be prepared to respond to any concerns issued and where possible provide additional assurance.
While many of the technological issues in the field of mobile forensics have not yet been resolved, investigators should endeavour to triangulate all evidence gathered. This triangulation consists of attempting to confirm any statements made based on information gathered from the mobile device. For example, text messages in the .Sent SMS. folder that are contested could be confirmed by requesting the records of the mobile phone provider.
In many cases however, triangulation needs to be performed by the lead investigator, and not so much the forensic analyst. Much collaborating evidence may be based outside of the sphere of technology. In order to better understand where his case may be lacking depth and confirmation however, the forensic analyst should inform detail on potential issues in any forensic report destined for internal consumption.
This paper introduced the main methods of connectivity available to a modern cell phone. While a court decision should always be based on a well balanced review of all evidence available, in some cases the investigation of a mobile device is likely to play a large role. The stringent requirements posed on the output of a forensic investigation and subsequent testimony are investigated through review of evidence law applicable to the United States federal court system.
It is shown that, despite their significantly improved technical capabilities, mobile phones are still not equally capable to desktop computer devices, and as such also have less capability to provide detailed and accurate log information. Despite this limitation, vulnerabilities common in wired computing are still occurring on this new category of devices. The variety in operating systems, and the ease with which they can be altered to better match the user's preferences also adds to the limitations of mobile forensics. Finally, the issue of maintaining evidence integrity is reviewed. Due to the number of entry points into current mobile devices, precautions need to be taken during its transport to a forensic lab.
There is no hard and fast rule to deal with these trust issues. Important is that they are well documented, and that triangulation takes place of all important facts established during the investigation. This provides most defense to the case being built upon output of the mobile forensics process.
Bluetooth (2007) Bluetooth Security. Bluetooth SIG. URL: http://www.bluetooth.com/Bluetooth/Learn/Security/ [Accessed: May 16th, 2007]
Cornell (2007) Federal Rules of Evidence. Cornell Law School: Ithaca. URL: http://www.law.cornell.edu/rules/fre/index.html [Accessed: May 10th, 2007]
Coughlin, K (2006) FBI uses cellphones to eavesdrop on suspects - even when they're off. The Seattle Times: Seattle. URL: http://www.policeone.com/police-products/radios/surveillance-accessories/articles/1197457/ [Accessed: May 21st, 2007]
FBI (1999) Digital Evidence: Standards and Principles. Forensic Science Communications. Vol 2, Nr 2, April 2000. FBI: Washington, DC. URL: http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm [Accessed: May 13th, 2007]
FBI (1999b) Digital Evidence: Standards and Principles. Forensic Science Communications, Vol 2, Nr 2, April 2000. URL: http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm [Accessed: May 16th, 2007]
Harrington (2007) Signal Isolation. URL: http://mobile-examiner.com/vb/showthread.php?p=39 [Accessed: May 20th, 2007]
FTC (2001) Electronic Signatures in Global and National Commerce Act. Federal Trade Commission: Washington, DC. URL: http://www.ftc.gov/os/2001/06/esign7.htm [Accessed: May 15th, 2007]
Jerz, M (2006) Sony Ericsson P990i review. My-Symbian.com. URL: http://my-symbian.com/uiq3/review_p990i.php [Accessed: May 12th, 2007]
Liston, K (2007) ANI: It Gets Better. Internet Storm Center Diary. Internet Storm Center: Bethesda, MD. URL: http://isc.sans.org/diary.html?storyid=2551 [Accessed: May 14th, 2007]
Meyers, M & Rogers, M (2004) Computer Forensics: The Need for Standardization and Certification. International Journal of Digital Evidence. Vol 3, Nr 2, Fall 2004. Utica College: Utica.
Microsoft (2002) Microsoft Security Bulletin MS02-058. Microsoft.com. Microsoft Corporation: Redmond, WA. URL: http://www.microsoft.com/technet/security/Bulletin/MS02-058.mspx [Accessed: May 10th, 2007]
NIST (2007) Guidelines on Cell Phone Forensics. Special Publication 800-101. Washington: National Institute for Standards and Technology.
Laurie, A (2003) Bluetooth. The Bunker: Kent. URL: http://www.thebunker.net/resources/bluetooth [Accessed: May 16th, 2007]
Rutkowska (2007) Beyond the CPU: Defeating Hardware Based RAM Acquisition. COSEINC Advanced Malware Labs: Singapore. URL: http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt.pdf [Accessed: May 20th, 2007]
Schneier (2005) Bluetooth Sniper Rifle. URL: http://www.schneier.com/blog/archives/2005/04/bluetooth_snipe.html [Accessed: May 16th, 2007]
Sipera (2007) Samsung SCH-i730 phones running Windows Mobile 2003 and SJPhone SIP soft phone is vulnerable to buffer overflow vulnerability. Threat Advisories. URL: http://www.sipera.com/index.php?action=resources,threat_advisory&tid=216& [Accessed: ¨May 18th, 2007]
Symantec (2005) SymbOS.Commwarrior.A. Symantec Security Response. Symantec: Cupertino, CA. URL: http://www.symantec.com/security_response/writeup.jsp?docid=2005-030721-2716-99&tabid=2 [Accessed: May 18th, 2007]
Trend-Micro (2007) Vulnerability in Internet Explorer for Windows Mobile. Security Advisories. Trend-Micro: Cupertino, CA. URL: http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+Internet+Explorer+for+Windows+Mobile. [Accessed: May 17th, 2007]
Wong, F-L, Stajano, F & Clulow, J (2005) Repairing the Bluetooth pairing protocol. University of Cambridge: Cambridge. URL: http://www.cl.cam.ac.uk/research/dtg/~fw242/publications/2005-WongStaClu-bluetooth.pdf [Accessed: May 10th, 2007]