Mobile Devices in Electronic Discovery

Transcription

1 Mobile Devices in Electronic Discovery

2 Mobile Devices in Electronic Discovery Abstract Once upon a time they were used to make phone calls; now they are our mobile offices. Mobile devices are a prolific aspect of modern society. For the majority of people, they serve as a primary means of communication both active and passive as well as management systems for daily activities. Today s smart phones offer a broad variety of capabilities, many of which were once only available on computers. Mobile devices have the ability to store our text messages, s with attachments, photos, videos, and web browsing histories. They support third-party chat applications like Viber or Skype and even hyper-sophisticated calendar applications such as PocketLife, which tracks the date/time and geolocation of the user. Recently, proper preservation and production of SMS messages from mobile devices has become a key issue in ediscovery. In 2013 an Illinois court issued the Defendant sanctions of more than $900,000 USD for, among other things, failing to preserve and produce text messages (in re: Pradaxa 1 ). The volume of mobile device data is increasing, and as business and mobile devices become ever more closely intertwined, the potential responsiveness of mobile device data is equally on the rise. Matters involving mobile devices are far more fluid and dynamic than traditional computer forensic matters (think hard drives) because the technology can be quite volatile. These challenges, coupled with the continuous and rapid evolution of available mobile device technologies, require Digital Forensic Investigators to keep a close eye on best practices for managing forensic acquisition and analysis of mobile device data. OVERVIEW It is rare to conduct an investigation or ESI preservation effort that does not involve a mobile device. A recent survey 2 indicated the following: 90% of American Adults have a cell phone 58% of Americans have a smart phone 32% of Americans own an e-reader 42% of Americans own a tablet computer 29% of American cell phone owners describe their devices as something they cannot imagine living without 2. They cannot live without their devices because everything is there. They can send and receive , read or edit documents, get directions, check the news, check their Twitter, Instagram, Facebook accounts, calendar their appointments, send text messages to friends, and engage in a host of other personal and work-related activities. What used to require a full-size computer is now handled by a powerful, portable device. TERMINOLOGY Forensic collection of mobile devices: Acquisitions of mobile devices are a snap shot in time. They are so volatile and constantly changing that two separate acquisitions will likely never yield the exact same data. If nothing else, dates and times of items will constantly be altered. Mobile Application Management ( MAM ): Distributing, managing, and tracking mobile applications via software and services. Jailbreak (ios): This is a method of device modification which is applicable to ios devices only. It allows an end-user to have super control over their Apple device. It turns the device from

3 a read-only system, on which only App Store approved programs can be loaded, into an openended system on which all kinds of third-party software (including malware) can be installed. ios devices that are already jail broken by an end-user can be easier for forensic examiners to acquire, in some instances. In the field of digital forensics, terminology and concepts can evolve rapidly. It s cri cal to remain up-to-date with emerging acronyms and defini ons as well as technologies and methods. vulnerability for certain U.S. celebrities whose accounts were hacked, resulting in theft of their private photographs. Apple has since invoked two-form authentication for Apple ID, which is how users log in to icloud. MOBILE DEVICE MANAGEMENT Mobile Device Management solutions are a growing enterprise in their own right, allowing employers to manage the hordes of varying Android and Apple devices containing their often-confidential ESI. An MDM solution allows administrators to manage aspects of a mobile Android Rooting: Rooting an Android-style tablet or phone is akin to the ios jailbreak method it allows an end-user to manipulate and modify the inner-most parts of the phone. TYPES OF MOBILE PHONE ESI A mobile device can typically contain , text messages, documents, calendars, contacts, call logs, voice mail (visual voice mail is also stored on the device) graphics and video files. An overwhelming majority of user data and evidence is found within databases (typically SQLlite format). Mobile forensic tools as well as standalone database forensic software are used to parse the contents of these databases for easy-to-read reporting. SQLlite databases may also contain deleted records that have not yet been purged. THE CLOUD: AN IMPORTANT POTENTIAL SOURCE OF MOBILE ESI Cloud backups represent an important source of mobile ESI. For example, icloud can store documents, contacts, pictures, and much more. This area of storage can be useful for examiners and litigators, and was recently an area of Fig 1. icloud configuration options. A wide variety of data types can be backed up in the cloud.

4 device including, (a) what kind of pin code or password is required for the device itself; (b) if and how data should be encrypted on the device; (c) the ability to wipe the phone if it is lost or stolen; and even (d) the ability to disable things like the phone s camera when inside sensitive areas of a company. Of these, encryption is one of the most attractive features of an MDM platform. Administrators can encrypt the phone itself, and also set a separate password to unlock the container housing the company s (think of it as a password protected ZIP file on your computer an added layer of protection). For preservation purposes, the MDM software isn t going to help, since you cannot collect remotely. (As of this writing there are no options for remote collection of mobile devices.) COMPUTER FORENSICS VS. MOBILE DEVICES: VOLATILITY Tablets and phones contain very small solid-state type chips for memory functions and storage, versus the spinning platter hard drives of formergeneration computers. There are two primary chip types: (1) NAND Flash and (2) NOR chips. The former are by far the most common and are cheapest to manufacture. NOR chips are typically used to store a type of software called firmware, which tells the phone what it is, how to turn on very basic instructions. NAND chips can be broken up into logical divisions called partitions (just like computer hard drives) and often have a few: one for mobile operating system code, one for restoration / fail-safe code, and one for what is normally referred to as a user partition. This area is where applications and user-created items are typically housed, and is an area of keen focus for ESI acquisition and investigations. NAND chip technology is small, cheap and quite fast; however, its volatility comes into play when things like wear leveling and garbage collection are considered. Wear leveling is a process that essentially spreads the writing of data across the tiny NAND chip so that no single area takes all of the abuse involved in said data writes imagine hitting only the 15 wedge on a dartboard over and over throughout your games. The developers of these chips employ this method to improve shelf life of their hardware, but it can create both problems and opportunities for the forensic examiner: in some situations, wear leveling can cause data loss; in others, it can mean that data was arbitrarily moved before a deletion event, therefore leaving behind some traces. Figure 2: Touchdown MDM PIN Code to access (source: nau.edu)

5 ACQUISITION TYPES FOR MOBILE DEVICES In order of least thorough to most complete: Logical: Active data only: from call log databases, SMS messages etc., File System: Same as logical, but will also contain all contents of the file system(s), the databases themselves and other items better for analysis. Physical: Both active and deleted data are acquired. Acquires file systems in their entirety as well as free space on the flash chips. Is akin to a computer hard drive image, but not verifiable in the same way. Is not available on all devices. Manual: scroll and photograph / video record MOBILE PHONE FORENSIC TOOL EXAMPLES a. Cellebrite UFED and Physical Analyzer b. Oxygen Forensic Analyst Suite c. Blacklight for ios Devices d. Lantern e. XRY These tools can all acquire and analyze a broad array of mobile devices but often times much to the dismay of examiners two different tools assessing the same mobile device can yield entirely different results (as seen in Figure 3.) Some tools do not parse databases correctly and miss various call detail records, or get the right records but misrepresent the associated dates and times. It takes a trained examiner with a variety of tools to adequately extract and assess mobile phone data. It is important to not let a single tool have the final say. ios DEVICES ios devices have an equally large market share compared to their Android counterparts and come with their own unique challenges. A few key things to know: a. To date examiners are unable to acquire data from iphone 4S, 5, 5c, 5s, ipad 2, 3 and Air devices. can be extracted from the original ipad, as well as from the iphone 4 and older devices, as the early generation technologies could not yet encrypt . Figure 3: Different tools can report findings in different ways.

6 b. Examiners must have passwords or PIN codes for the home screen of ios devices, as there is no way to circumvent the PIN code in most cases (unless the phone is a 4 or below and/or the device was jail broken ahead of time by an end-user). c. If a backup password was set this is different form an itunes/apple ID and PIN code this will be required to extract file system or logical data (this can possibly be circumvented in some instances, by way of something called an Advanced Logical Extraction). d. itunes sometimes creates backups of ios automatically, when the device is attached to the computer. Examiners can parse these backups with forensic tools (see examples on the facing page.) These same types of backups can be gathered from icloud if the user had this option enabled. There are very few reliable methods to acquire data from these repositories, but Altep s examiners are equipped to do so completely and correctly. ANDROID EXAMPLES Within the Android arena, applications are much more open-ended and generally less secure. Applications come and go, and need not be signed or proven to be safe, unlike apps which are available in the ios Appstore. Android applications come in the form of.apk files, and are often manipulated by hackers to gain control of the device and steal personal information. However, Forensic Examiners can assess Android applications for signs of infection or data egress. Regarding backups of Android data, a few thirdparty backup tools are available, but these are not widely used and are rarely encountered by Examiners. Most user-created data on an Android device is backed up to the phone s registered Google account. CERTIFICATION EXAMPLES Cellebrite Certified Logical Operator (CCLO) Cellebrite Certified Physical Analyst (CCPA) AccessData Mobile Phone Examiner (AME) Blackbag Tech Mac and ios Certified Forensic Examiner (MiCFE) Figure 4: If enabled, the passcode will be required before acquisition can occur.

7 Figure 5: Parsing a backup of SMS messages Figure 6: Various types of data can be collected.

8 Seattle San Francisco Palo Alto San Diego Phoenix El Paso Dallas Houston Bentonville Chicago Atlanta Red Bank About Our Experts Warren G. Kruse II, CISSP, CFCE, EnCE, DFCP Vice President, Digital Forensics, Altep, Inc. With more than 30 years experience in law enforcement and forensic science, Warren is the author of Computer Forensics: Incident Response Essentials. The diverse range of matters Warren has assisted with includes theft of trade secrets, Wikileaks investigations, misappropriation of intellectual property, breach of contract, internal employment disputes, fraud investigations, and wage and hour class actions, among others. Warren currently serves as the President of the Digital Forensics Certification Board. London Dublin Timothy LaTulippe, CCE, EnCE, MiCFE, NECS, DFCP Senior Computer Forensic Manager, Altep, Inc. Timothy has served as an expert witness in a variety of State, Federal and military proceedings. His broad experience includes matters involving trade secret theft, medical malpractice, intellectual property theft, unfair business practice, fraud and internal investigations. Additionally, Timothy is the author of Working Inside the Box: Real Life Example of GDS ina Forensic Examination, which was published in The Journal of Digital Forensics Security & Law, and The Need for Targeted Collections in a Diminished Economy. 1 In re Pradaxa (Dabigatran Etexilate) Prods. Liability Li g., No. 12- md-2385, 2013 WL , at *17, *20 (S.D. Ill. Dec. 9, 2013) Altep, Inc. All Rights Reserved.