SSDD Forensics Issues - Essay Example

Q1. Similarities and differences between Computer forensics and SSDD forensics Computer forensics SSDD forensics The probability of using personal computer for criminal activities is less compared to SSDD. Normally people do not take a risk to use their own PC for criminal activities or the tendency of a PC to be in place of where such activity been taken place. (Harrill, 2007) Comparatively higher probability for been used for illegal activities. For example a mobile phone can record a crime in place and used as evidence later has more probability. Uses magnetic and optical storage devices where forensic potential is low Uses flash memory (EEPROM) where forensic potential is high. More opened to the user. More information on the internal architecture and file systems are available to the user. (Baggili) More closed to the user Low level interfaces are provided. User can create, modify and update programs user low level interface. No low level interface provided for the user Higher data retention. Data are available for long periods of time. Higher data retention User is aware of what data has been stored. User is not aware of what data has been stored always. Q2. Graph Theoretic Carving Bi-fragmented Gap Carving Smart Carving (Memon) Smart Carving is the best type of carving. This carving methodology is a technique to look for other characteristics in file types besides header and footer signatures. Smart carving methodology is a technique to look also at other characteristics like embedded files, probability factors, entropy, etc. where GTC and Bi-fragmented Gap carving concentrated on the header and footer of image data. Q3. The logical acquisition approach is based on acquiring a logical bit-by-bit copy of the directories and various types of files (address files) found within the iPhone file system. But, Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip). Logical backups are considered a rich source of data files that can help build evidence. They can also provide proof of the pairing relationship between the computers that has been previously synched with the iPhone device if that computer was seized as part of the investigation. A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. Evidential data/information that can be extracted from the iPhone’s iTunes backup are listed below. SQLite Database Content Keychain-2.db Accounts, services associated with the accounts, and encrypted passwords AddressBook.sqlitedb Address book contact information AddressBookImages.sqlitedb Images associated with saved contacts call_history.db Incoming and outgoing call logs Calendar.sqlitedb Calendar events notes.db Note files sms.db Text and multimedia messages 0000000000000001.db Email messages accessed on Gmail Web interface 0000000000000003.db Translation terms searched on Google Translate Web interface voicemail.db Voicemail messages Recordings.db Voice memos recorded on the device friends.db Facebook friends list plist files plist files Content com.apple.accountsettings.plist Email accounts configured on Apple Mail application Directions.plist Directions to remote locations that have been queried History.plist Log of searched locations com.apple.Maps.plist Last viewed latitude and longitude com.apple.mobilephone.speeddial.plist Speed dial contacts saved in the Favorites list com.apple.mobilephone.plist Last phone numbers dialed Bookmarks.plist Bookmarked URLs History.plist Browsing history Cookies.plist Information about cookies saved by visited websites com.apple.preferences.datetime.plist Local date and time zone com.apple.network.identification.plist Wireless networks accessed by the device com.apple.wifi.plist Wireless network settings com.apple.preferences.network.plist Status of wifi and Bluetooth networks com.apple.MobileBluetooth.devices.plist Log of Bluetooth devices paired with the iPhone com.apple.MobileBluetooth.services.plist History of Bluetooth pairings com.apple.commcenter.plist ICCID and IMSI unique identifiers Info.plist Device information including device name, unique identifier, phone number, serial number, etc. The name of the backed-up folder is a long combination of forty hexadecimal numbers and characters (0-9 and a-f), and represents a unique identifier for the device from where the backup was obtained. This unique identifier appears to be a hashed value since it was the same unique name given to the backed-up folder by iTunes on both Mac and Windows operating systems. Within this folder reside hundreds of backup files with long hashed filenames consisting of forty numbers and characters. These filenames signify a unique identifier for each set of data or information copied from the iPhone memory. Backed-up data is stored in three file formats, plist files which stores data in plaintext format, mddata files which stores data in a raw binary format and mdinfo files which store encoded metadata of the corresponding binary mddata files. Figure 3 shows the Backup folder containing the backed-up files.Generally, the iPhone file system stores data in binary lists and database files. The device configuration, status, applications settings and preferences are stored in XML format plist files. In order analyze the above sated file structure few parsing tools such as, „MobileSyncBrowser‟ ("MobileSyncBrowser,") or „iPhone Backup Extractor‟ ("iPhone / iPod Touch Backup Extractor,") can be used to translate iPhone binary backed-up files into their original readable file formats. In this study, the „iPhone Backup Extractor‟ utility for Mac was used to parse the mddata, mdinfo backed-up files and extract them back into a format that can be accessible directly within their associated utility or application. The obtained SQLite database and plist files were created under a directory structure parallel to that on the iPhone file system. (Bader) Q4. Rule 104(a) assigns judges the responsibility of making a preliminary determination on allowing an expert to testify. Judge can decide on allowing an expert to make a statement in a case depending on his qualifications. Rule 702 requires the judge to determine whether the admission of such testimony will assist the tier of fact to understand evidence or determine a fact at issue. Simply the statement by the expert should be relevant to the case. Rule 403 allows the judge to exclude evidence if it’s likely prejudicial effect outweighs its probative value. Challenges The tools to collect and examine evidence on small scale digital devices are clearly different from the tools commonly used for more traditional ESI collections. For PDAs require specialized forensic tools and procedures distinct from those tools used for single PC systems and network servers. Many of the tools that investigators use to extract evidence are not designed to be forensically sound. Because the tools were not designed with court admissibility as their objective, gaps can be found then exploited by opposing counsel and their experts. Some methods and technologies used to acquire data from SSDDs are prone to contamination. For a example, there are times when an attempt to use a USB write blocker in acquiring data from a small scale digital device will negatively impact the computer’s ability to connect to the small scale digital device. In those instances, the write-blocker must be removed and the ability to testify that no changes have been made during the acquisition process becomes very circumstance. (Hendricks, 2008) Q5. SIM: The types of data (digital evidence) can be found on a SIM are Last Number Dialed (LDN), Phonebook/Contacts (ADN), Text Messages (SMS), including deleted text messages, Location information (LOCI) from position of last usage, and Service Related Information. A SIM could potentially be moved between various types of GSM cell phones. The implication here is that a suspect can store specific information such as text messages and contacts only on the SIM. The cell phone then only acts as a shell, and the SIM can be then be moved to another ”network unlocked” cell phone. In most GSM devices the SIM is required to successfully boot the phone. The SIM is essentially a type of smart card that contains a 16 - 128 kb EEPROM (Electronically Erasable Programmable Read Only Memory). The SIM is assigned the cell phone number from the network which is tied to its ICCID, IMSI number as well as the IMEI number of the handset. The SIM file system is hierarchical in nature consisting of 3 parts; 1) Master File (MF) - root of the file system that contains DF’s and EF’s 2) Dedicated File (DF) 3) Elementary Files (EF) Hard Drive Memory: As surprising as it may be, technological advancements have enabled cell phone manufacturers to now use 1 inch compact drives, similar to the ones found in portable music players (like Apple’s iPod). Storage capacity can range from 3 gigabytes (GB) to 12 GB and upwards. Pictures, Movies, Audio files (mp3) are stored in such locations. Supported with FAT32 file system. Traditional forensic tools (EnCase, Forensic Toolkit (FTK), Pro Discover, iLook, Win Hex) could be used to analyze this type of memory. However, because these devices could contain proprietary files systems, it may be difficult to interpret. Memory Cards (micro SD or TransFlash): The types of data (digital evidence) can be found on a memory cards are pictures, movies, audio Files, and documents. These removable flash memory cards can be found mainly in cellular phones. But can also be used in GPS devices, portable audio players, video game consoles and expandable USB flash drives. The capacity of micro SD/TransFlash memory cards currently range in storage size from 64 MB (megabytes) to 8 GB (gigabytes) and upward. The location on a mobile device, as to where a memory card can be found varies depending upon the manufacturer. It is strongly recommended to check each device thoroughly to determine whether it contains a memory card. On the outside of a device, there is usually a small port cover that will have an inscription of “micro SD” or “TransFlash”. Opening the port cover will reveal a slot for the memory card. Typically these cards contain a FAT16 file system (although FAT12 has been observed). The cards listed at or exceeding the 4GB capacity are categorized as Secure Digital High Capacity (SDHC) and may use a FAT 32 file system to support partition sizes greater than 2GB. A memory card with a unique proprietary file system, may be encountered, that is used by the device, in which a traditional forensic data analysis approach will not work. In one example an examination of a micro SD card from a Nokia (Symbian based) contained a proprietary file system. (Punja, 2008) Q6. 1. Mobile phones have proprietary file systems. 2. Mobile phones have proprietary file transfer protocols. 3. Mobile phone providers lock down certain features of the device. 4. Different mobile phone providers might install different operating systems on the mobile phone device. 5. Cables used in the forensic acquisition of a mobile phone can be different. (Ibrahim, 2007) References Baggili, I.Small Scale Digital Devices, Lecture 1. Retrieved from Harrill, D.C. Mislan, R.P. (2007). A Small Scale Digital Device Forensics ontology. Small scale digital device forensics journal. vol. 1. Retrieved from Memon, N. (n.d). Image Forensics collection, search, authentication and attribution Retrieved from Bader, M. Baggili, I. iPhone (n.d) 3GS Forensics: Logical analysis using Apple. Retrieved from Hendricks, R. (2008). Admissibility of Small Scale Digital Devices in U.S. Civil Litigation. Small scale digital device forensics journal. vol. 2. Retrieved from Punja, S.G. Mislan, R.P. (2008). Admissibility Mobile Device Analysis. Small scale digital device forensics journal. vol. 2. Retrieved from Ibrahim, M. Baggili, I.M. Mislan, R. Rogers, M. (2007). Mobile Phone Forensics Tool Testing: A Database Driven Approach. International Journal of Digital Evidence. vol. 6. Retrieved from Read More