MobileForensics
Introduction
Mobile devices, are more affordable and commonplace in the workplace. They provide highly mobile data storage in addition to computational and networking capabilities for managing appointments and contact information, reviewing documents, communicating via electronic mail, and performing other tasks. Individuals can store and process personal and sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As digital technology evolves, the capabilities of these devices also continues to improve rapidly, taking advantage of new forms of removable media, faster processors that consume less power, touch screens with higher pixel resolution, and other components designed specifically for mobile devices. More and more handheld devices are involved in crimes or incidents; therefore,how to properlyacquire, retrieve, and examine information present on the mobile devices become a major concern for digital forensics.
Objectives
- Become familiar with the process of synchronizing data between a handheld device and aninvestigating computer.
- Use software for mobile forensic analysis.
- Explorethe capabilities and limitations of a mobile forensic toolkit.
Remember to read the report requirements at the end of this document to see what is necessary to hand into the instructor.
This lab is to be completed as a team. The report is to be written as a team.
Configuration
- A virtual forensic computerwill be used for this exercise.
- A virtual Mobile Phone will be used as the suspect handheld device.
- The Microsoft Active Sync will be used to synchronize data between the virtual mobile phone and the forensic computer. The tool has been properly installed on the forensic computer.
- A demo version of the PDA forensics toolwill be used to conduct the investigation. You need to follow the instructions and download the tool from the virtual server and install it.
- Fivetesting files in different formats have been created and stored in the virtual machine for use in this lab.Please use these files for learning and practice.
- The following instructions shows the real world scenario of mobile forensic analysis.
/ Testing Data Files:
- Note File: Meeting August 1
- Graphic Files: DC400.gif;
- Word File: RFID Life Cycle.doc
- Text File: Team.txt
Instructions
Three tasks outlined below need to be completed.
Task 1 – Connect Virtual Mobile Phone
- Step 1. Click “Start -> All programs -> Windows mobile 6 SDK -> Standalone Emulator Images -> US English -> Standard”, to launch the virtual mobile phone.
- Step 2. Wait until the mobile phone fully starts up (The phone’s screen will show the time and day). Click “dvcemumanager”on the desktop. Then, follow the figure below; right click the item under “others”, and select “Cradle” to connect the mobile device.
Task 2 - Synchronize Data between Mobile Device and Computer.
Sub-Task 1: Usethe ActiveSyn utility
- Step 1: The “Microsoft Active Sync” will launch automatically. If not,activate Microsoft ActiveSync... from Start and then Program menu.If it asks to setup partnership, click “cancel” to get into the “Guest Partnership”.
- Step 2: Browse the ActiveSync tool to become familiar with the mobile device version of “Explore.” Click on “Explore”.
- Step 3: Copy the fivetesting files from your VM desktop“My Documents\Labs\Mobile Forensics\Testing”folder to the mobile device as dictated below. Perform the following tasks, observe and record the response of the devices.
- Store the Note File, Meeting August 1, under “Templates” folder.
- Store the other four files in the “My Pictures” folder
Q2.1: What are the major differences between “Standard” and “Guest” partnerships? Why it is more appropriate to use Guest partnership to acquire data from a handheld device?
Q2.2: What happens when you copied files from a PC to a mobile device? Why is there a need to do so?
Sub-Task 2: Become familiar with the Pocket PC.
- Step 1: Play the virtual Pocket PC Menu and learn how to use it. Explore “Start”, “File Explorer”, and verify the successful copy of these files.
- Step 2: Learn how to add, copy and delete files in a mobile device:
- Delete the file, DC400.gif, from the “My Pictures” folder
- Delete the file, Team.txt, from the “My Pictures” folder
- Create a contact in the mobile device (Hint: Click “Start” and then “Contacts”)
Task 3: Mobile Forensics
Sub-task 1: Download and install mobile device forensics software.
- Step 1: Make sure that the mobile device, ActiveSyn and the forensic computer are still connected (synchronized)
- Step 2: Connect the Server, by clicking Start->Run->enter \\192.168.0.3.Download and install “PocketPCForensicDemo”.This file is in the “public” folder > “software tools.”
Sub-task 2: Mobile device forensics software.
The mobile deviceforensic software will generate a report for your analysis.
- Step 1: Launch the software “Data Doctor Forensic Software”. Click on “Start” button.
- Step 2: Fill in the information table, and then click “Next”.
- Step3: Select all the options, “Files”, Database, OS Registry, and “Phone Informations”. And save the reportsto the desktop for your analysis.
- Step 4: Click “Analyze,” and wait for it to finish the analysis process.
- Step 5: Select “Generate report of selected fields” and select “All”, and then generate a HTML format report. Click “Save” to save the reports to the desktop for your analysis.
Q3.1: Analyze the report. What information can you get from the report?
Q3.2: What is the limitation of this program?
Q3.3: Indicatethree otherpopular mobile device forensics softwares and discuss their differences.
Team Report:
The group report is to show what you did in the project. Clearly state your results of this project. You are expected to hand in a report in the following format:
- A cover page (including project title) with team name and team members
- A table of contents with page numbers
- Use double-spaced typing for convenient grading
- Number pages. Font size 12, Single column
- Save the Microsoft Word document with the team name in the title. Upload the document into the appropriate ANGEL dropbox.
The report should have the following sections. Each section should cover all the topics described below. Take screenshots if it is necessary.
Section I: Answer the 5 questions embedded throughout the document.
- Q2.1, Q2.2 (page 4)
- Q3.1, Q3.2, Q3.3 (page 6)
Section II: Provide screenshots of the following items:
- Screenshot 1 - Task 2 – Subtask 2 – Step 1 – Take a screenshot of the successful transfer of the 4 files you transferred into the mobile phone under “My Pictures.”
- Screenshot 2–Task 3 – Subtask 2 – Step 5 – Include a copy of the generated report.
Grading Rubric:
This project has a number of specific requirements. The requirement for each section is documented in the above project instruction “Team Report.” Whether you will get credit depends on the following situations:
- You will get full credit on one item, if it is correctly reported as required and well written.
- You will get half credit on one item, if it is reported as required but there is something definitely wrong.
- You will not get any credit for one item, if it is not reported.
The credit for each section is as follows.
- Section I:5 Questions (75%):
- Each item is worth15%
- Section II: 2 Screenshots (25%)
- Item 1 is worth 10%
- Item 2 is worth 15%
Note
This is a team project. Be sure to include the names of all the teammates and all their email addresses in the report. The report should be turned in before class on the specified due date. Late submissions will be issued a grade deduction especially if permission is not obtained from the instructor. The instructor reserves the right to grant or reject extra time for report completion.
References[1]
- Rick Ayers and Wayne Jansen, “PDA Forensic Tools: An Overview and Analysis,” IR 7100, NIST.
- Wayne Jansen and Rick Ayers, “Guidelines on PDA Forensics,” Special Publication 800-72, NIST.
- Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou, “Cell Phone Forensic Tools: An Overview and Analysis,” IR 7250, NIST.
- Wayne Jansen and Rick Ayers, “Guidelines on Cell Phone Forensics,” Special Publication 800-101 (Draft), NIST.
- Mobile Phone Forensics & PDA Forensics Links.
- Pocket PC Forensic Software.
1
[1] All references are available in the Lab 9 folder of Angel