StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

SSDD Forensics Issues - Essay Example

Cite this document
Summary
The author describes the similarities and differences between computer forensics and SSDD forensics, carving methodology, the logical acquisition approach, evidential data/information that can be extracted from the iPhone’s iTunes backup and admissibility of SSDD in U.S. Civil Litigation…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER98.8% of users find it useful
SSDD Forensics Issues
Read Text Preview

Extract of sample "SSDD Forensics Issues"

Q1. Similarities and differences between Computer forensics and SSDD forensics Computer forensics SSDD forensics The probability of using personal computer for criminal activities is less compared to SSDD. Normally people do not take a risk to use their own PC for criminal activities or the tendency of a PC to be in place of where such activity been taken place. (Harrill, 2007) Comparatively higher probability for been used for illegal activities. For example a mobile phone can record a crime in place and used as evidence later has more probability. Uses magnetic and optical storage devices where forensic potential is low Uses flash memory (EEPROM) where forensic potential is high. More opened to the user. More information on the internal architecture and file systems are available to the user. (Baggili) More closed to the user Low level interfaces are provided. User can create, modify and update programs user low level interface. No low level interface provided for the user Higher data retention. Data are available for long periods of time. Higher data retention User is aware of what data has been stored. User is not aware of what data has been stored always. Q2. Graph Theoretic Carving Bi-fragmented Gap Carving Smart Carving (Memon) Smart Carving is the best type of carving. This carving methodology is a technique to look for other characteristics in file types besides header and footer signatures. Smart carving methodology is a technique to look also at other characteristics like embedded files, probability factors, entropy, etc. where GTC and Bi-fragmented Gap carving concentrated on the header and footer of image data. Q3. The logical acquisition approach is based on acquiring a logical bit-by-bit copy of the directories and various types of files (address files) found within the iPhone file system. But, Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip). Logical backups are considered a rich source of data files that can help build evidence. They can also provide proof of the pairing relationship between the computers that has been previously synched with the iPhone device if that computer was seized as part of the investigation. A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. Evidential data/information that can be extracted from the iPhone’s iTunes backup are listed below. SQLite Database Content Keychain-2.db Accounts, services associated with the accounts, and encrypted passwords AddressBook.sqlitedb Address book contact information AddressBookImages.sqlitedb Images associated with saved contacts call_history.db Incoming and outgoing call logs Calendar.sqlitedb Calendar events notes.db Note files sms.db Text and multimedia messages 0000000000000001.db Email messages accessed on Gmail Web interface 0000000000000003.db Translation terms searched on Google Translate Web interface voicemail.db Voicemail messages Recordings.db Voice memos recorded on the device friends.db Facebook friends list plist files plist files Content com.apple.accountsettings.plist Email accounts configured on Apple Mail application Directions.plist Directions to remote locations that have been queried History.plist Log of searched locations com.apple.Maps.plist Last viewed latitude and longitude com.apple.mobilephone.speeddial.plist Speed dial contacts saved in the Favorites list com.apple.mobilephone.plist Last phone numbers dialed Bookmarks.plist Bookmarked URLs History.plist Browsing history Cookies.plist Information about cookies saved by visited websites com.apple.preferences.datetime.plist Local date and time zone com.apple.network.identification.plist Wireless networks accessed by the device com.apple.wifi.plist Wireless network settings com.apple.preferences.network.plist Status of wifi and Bluetooth networks com.apple.MobileBluetooth.devices.plist Log of Bluetooth devices paired with the iPhone com.apple.MobileBluetooth.services.plist History of Bluetooth pairings com.apple.commcenter.plist ICCID and IMSI unique identifiers Info.plist Device information including device name, unique identifier, phone number, serial number, etc. The name of the backed-up folder is a long combination of forty hexadecimal numbers and characters (0-9 and a-f), and represents a unique identifier for the device from where the backup was obtained. This unique identifier appears to be a hashed value since it was the same unique name given to the backed-up folder by iTunes on both Mac and Windows operating systems. Within this folder reside hundreds of backup files with long hashed filenames consisting of forty numbers and characters. These filenames signify a unique identifier for each set of data or information copied from the iPhone memory. Backed-up data is stored in three file formats, plist files which stores data in plaintext format, mddata files which stores data in a raw binary format and mdinfo files which store encoded metadata of the corresponding binary mddata files. Figure 3 shows the Backup folder containing the backed-up files.Generally, the iPhone file system stores data in binary lists and database files. The device configuration, status, applications settings and preferences are stored in XML format plist files. In order analyze the above sated file structure few parsing tools such as, „MobileSyncBrowser‟ ("MobileSyncBrowser,") or „iPhone Backup Extractor‟ ("iPhone / iPod Touch Backup Extractor,") can be used to translate iPhone binary backed-up files into their original readable file formats. In this study, the „iPhone Backup Extractor‟ utility for Mac was used to parse the mddata, mdinfo backed-up files and extract them back into a format that can be accessible directly within their associated utility or application. The obtained SQLite database and plist files were created under a directory structure parallel to that on the iPhone file system. (Bader) Q4. Rule 104(a) assigns judges the responsibility of making a preliminary determination on allowing an expert to testify. Judge can decide on allowing an expert to make a statement in a case depending on his qualifications. Rule 702 requires the judge to determine whether the admission of such testimony will assist the tier of fact to understand evidence or determine a fact at issue. Simply the statement by the expert should be relevant to the case. Rule 403 allows the judge to exclude evidence if it’s likely prejudicial effect outweighs its probative value. Challenges The tools to collect and examine evidence on small scale digital devices are clearly different from the tools commonly used for more traditional ESI collections. For PDAs require specialized forensic tools and procedures distinct from those tools used for single PC systems and network servers. Many of the tools that investigators use to extract evidence are not designed to be forensically sound. Because the tools were not designed with court admissibility as their objective, gaps can be found then exploited by opposing counsel and their experts. Some methods and technologies used to acquire data from SSDDs are prone to contamination. For a example, there are times when an attempt to use a USB write blocker in acquiring data from a small scale digital device will negatively impact the computer’s ability to connect to the small scale digital device. In those instances, the write-blocker must be removed and the ability to testify that no changes have been made during the acquisition process becomes very circumstance. (Hendricks, 2008) Q5. SIM: The types of data (digital evidence) can be found on a SIM are Last Number Dialed (LDN), Phonebook/Contacts (ADN), Text Messages (SMS), including deleted text messages, Location information (LOCI) from position of last usage, and Service Related Information. A SIM could potentially be moved between various types of GSM cell phones. The implication here is that a suspect can store specific information such as text messages and contacts only on the SIM. The cell phone then only acts as a shell, and the SIM can be then be moved to another ”network unlocked” cell phone. In most GSM devices the SIM is required to successfully boot the phone. The SIM is essentially a type of smart card that contains a 16 - 128 kb EEPROM (Electronically Erasable Programmable Read Only Memory). The SIM is assigned the cell phone number from the network which is tied to its ICCID, IMSI number as well as the IMEI number of the handset. The SIM file system is hierarchical in nature consisting of 3 parts; 1) Master File (MF) - root of the file system that contains DF’s and EF’s 2) Dedicated File (DF) 3) Elementary Files (EF) Hard Drive Memory: As surprising as it may be, technological advancements have enabled cell phone manufacturers to now use 1 inch compact drives, similar to the ones found in portable music players (like Apple’s iPod). Storage capacity can range from 3 gigabytes (GB) to 12 GB and upwards. Pictures, Movies, Audio files (mp3) are stored in such locations. Supported with FAT32 file system. Traditional forensic tools (EnCase, Forensic Toolkit (FTK), Pro Discover, iLook, Win Hex) could be used to analyze this type of memory. However, because these devices could contain proprietary files systems, it may be difficult to interpret. Memory Cards (micro SD or TransFlash): The types of data (digital evidence) can be found on a memory cards are pictures, movies, audio Files, and documents. These removable flash memory cards can be found mainly in cellular phones. But can also be used in GPS devices, portable audio players, video game consoles and expandable USB flash drives. The capacity of micro SD/TransFlash memory cards currently range in storage size from 64 MB (megabytes) to 8 GB (gigabytes) and upward. The location on a mobile device, as to where a memory card can be found varies depending upon the manufacturer. It is strongly recommended to check each device thoroughly to determine whether it contains a memory card. On the outside of a device, there is usually a small port cover that will have an inscription of “micro SD” or “TransFlash”. Opening the port cover will reveal a slot for the memory card. Typically these cards contain a FAT16 file system (although FAT12 has been observed). The cards listed at or exceeding the 4GB capacity are categorized as Secure Digital High Capacity (SDHC) and may use a FAT 32 file system to support partition sizes greater than 2GB. A memory card with a unique proprietary file system, may be encountered, that is used by the device, in which a traditional forensic data analysis approach will not work. In one example an examination of a micro SD card from a Nokia (Symbian based) contained a proprietary file system. (Punja, 2008) Q6. 1. Mobile phones have proprietary file systems. 2. Mobile phones have proprietary file transfer protocols. 3. Mobile phone providers lock down certain features of the device. 4. Different mobile phone providers might install different operating systems on the mobile phone device. 5. Cables used in the forensic acquisition of a mobile phone can be different. (Ibrahim, 2007) References Baggili, I.Small Scale Digital Devices, Lecture 1. Retrieved from Harrill, D.C. Mislan, R.P. (2007). A Small Scale Digital Device Forensics ontology. Small scale digital device forensics journal. vol. 1. Retrieved from Memon, N. (n.d). Image Forensics collection, search, authentication and attribution Retrieved from Bader, M. Baggili, I. iPhone (n.d) 3GS Forensics: Logical analysis using Apple. Retrieved from Hendricks, R. (2008). Admissibility of Small Scale Digital Devices in U.S. Civil Litigation. Small scale digital device forensics journal. vol. 2. Retrieved from Punja, S.G. Mislan, R.P. (2008). Admissibility Mobile Device Analysis. Small scale digital device forensics journal. vol. 2. Retrieved from Ibrahim, M. Baggili, I.M. Mislan, R. Rogers, M. (2007). Mobile Phone Forensics Tool Testing: A Database Driven Approach. International Journal of Digital Evidence. vol. 6. Retrieved from Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“SSDD Forensics Issues Essay Example | Topics and Well Written Essays - 1000 words - 1”, n.d.)
Retrieved from https://studentshare.org/law/1407095-final-exam-ssdd-forensics
(SSDD Forensics Issues Essay Example | Topics and Well Written Essays - 1000 Words - 1)
https://studentshare.org/law/1407095-final-exam-ssdd-forensics.
“SSDD Forensics Issues Essay Example | Topics and Well Written Essays - 1000 Words - 1”, n.d. https://studentshare.org/law/1407095-final-exam-ssdd-forensics.
  • Cited: 0 times

CHECK THESE SAMPLES OF SSDD Forensics Issues

Industrial Espionage at XYZ

I am a computer forensics specialist for the local Police Department.... hellip; I am a computer forensics specialist for the local Police Department.... Industrial Espionage at XYZ.... In that capacity and considering case 1, I have worked with the Systems Administrator of XYZ Company....
3 Pages (750 words) Assignment

An Evaluation of Wireless Intrusion Prevention and Protecting Insecure Channels

Without a doubt, wireless technology offers a large number of advantages over traditional networking technologies that's why their usage is continuously increasing with the passage of time, but they also bring serious security issues that affect the quality of communication.... The basic purpose of this paper is to present a detailed analysis of wireless technology and issues associated with them.... After that a detailed discussion on wireless security issues has been provided....
30 Pages (7500 words) Research Paper

Universal Plug and Play and Its Weaknesses

The assignment "Universal Plug and Play and Its Weaknesses" investigated that many routers are still shipped with grave security bugs, new exploits are coming into the fame where security flaws in Universal Plug and Play devices are turning up into dangerous issues for the systems.... In this paper, we will cover some of the main issues associated with the universal plug and play devices and the ways that can be used to overcome the risk of hackers' attacks.... The three main security flaws bringing millions of users under risk of attack include programming issues in SSDP raising the risk of execution of arbitrary code, exposure of private networks to attacks because of exposure of plug and play control interface, and crashing of the service because of programming bugs in HTTP, UPnP, and SOAP (Moore 2013)....
12 Pages (3000 words) Assignment

Bioarchaeology on Human Dental Remains

Bioarchaeology, the study of human remains from an archaeological setting particularly the human bones and dental development, aims to determine the history of human adaptations according to a diverse environmental, economic status, and social contexts. Since bones and teeth… parts of the human body that do not decompose for a long period of time, bioarchaeologists are some of the few individuals who takes time in studying the human bone and teeth remains....
9 Pages (2250 words) Essay

Security of the Wireless Networks at Home and in the Office

The contest now held in Las Vegas, where thousands of people from all over the world meet each year to converse issues concerning among other things wireless security.... … The paper “Security of the Wireless Networks at Home and in the Office" is a persuading example of a term paper on information technology....
3 Pages (750 words) Essay

The Study of Human Skeletal Remains

The paper "The Study of Human Skeletal Remains" discusses that the study of human dental remains particularly the physical appearance and structure could provide the researcher with some basic information such as age, sex, health condition, lifestyle and habits.... hellip; Cigarette or pipe smoking habit, drinking coffee and tea are some of the most common cause of extrinsic stains on the teeth....
10 Pages (2500 words) Research Proposal

The Features and Requirements of Network Security

A lot of security issues will be taken into consideration.... The cabling should support a variety of communication standards, keeping in mind the future aspect of the upcoming technologies as compatibility issues are sometimes so costly that whole network architecture and design need to be created.... hellip; As per the field of digital forensics, the network design client/server architecture will be adequate for meeting the requirements....
7 Pages (1750 words) Case Study

Managing Risks for IT Managers, Auditors, and Investigators

Shell bags, therefore, play a very important role in the forensics of windows 7.... … The paper “Managing Risks for IT Managers, Auditors, and Investigators” is a fascinating case study on information technology.... Forensic artifacts form an important role in computer systems....
12 Pages (3000 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us