MFW09 Day 2

Another day packed with killer talks has passed. My mind is still processing all the information I picked up today, but yet I cannot refuse to share it with you people.

For me, the day kicked off with Eoghan Casey talking about the forensic soundness of the tools available for mobile forensics. He emphasized that forensic soundness does NOT mean that nothing may be altered on the drive, but that any changes made should be documented. It is accepted nowadays to install an agent to facilitate retrieval of data from smart phones as long as the tool makes clear what is actually happening and the investigator is able to uninstall the agent.

The second talk was by Ben Lemere (DoD) on GPS forensics. His talk focussed on the Garmin devices. He analyzed the way garmin devices create tracklogs an trackpoints when navigating and how these can be recovered. He also demonstrated different methods to extract evidence from the device. Data from Garmin can be extracted logically by sending AT commands (which are published by Garmin, forgot the URL) to the device. The preferred method is by connecting the device as mass storage on your USB port. This allows to extract the complete (hm...at least the relevant part afaik) of the file system and analyze any interesting files.

The afternoon started with a funny talk from Thomas Slovenski about bugging smart phones.

And just when you think you had the best of it all, up comes Andrew Hoog with a fascinating talk about Android forensics. The info was too much to summarize here. He covered it all: what Android is and how it is built up. How to gain root access by downgrading your device and exploiting a bug that allows you to startup the telnetd service as root. How to create a hexdump of the NAND flash memory and even touched on the yaffs2 file system used and how to analyze it. Great stuff! Love to hear more about it when anyone will pick this up and book further results.

MFW09 Day 1

So, the first day at Mobile Forensics World 2009 has come to an end. I heard some very interesting stuff today on low-level iPhone forensics and mobile phone forensic tool testing.

The first talk was from Rick Voss (FBI) about the future developments in digital (and some mobile) forensics. It was mainly about the recent proposal for new legislation on conducting digital forensic investigations. Think of certification and accreditation of labs and so forth (can't remember the rest). It was less applicable to me, cause it was focused on the US legislation, but still interesting to hear.

The second talk I attended was from Jonathan Zdziarski about low-level iPhone forensics. This guy definately knows what he's talking about.
He explained the process of 'hacking' the iPhone and how to initiate a dd dump of the user partition of the internal memory over SSH. The hack of the iPhone (often the term 'jailbreaking' is used, even though it is not accurate) is forensically acceptable, since only the system partition is altered in this process. The exact details are to elaborate for now, but in essence it just alters the system parition to include certain tools like netcat, sshd and dd in the system. These are then used to dump the memory over a netcat connection. The same method of altering the system partition can be used to disable an activated handset lock. This is a matter of deleting or altering a certain file in the system partition.
Further, Jonathan is working on a method to transfer the memory over USB instead of the network which should make it faster.

The third talk was from Rick Ayers (NIST) about forensic tool testing. He explained how the process works and how to interpret the documents that result in this process.
In 2010 they will start forensic tool testing for smart phones specifically! This means, comparing and testing the tools available for Symbian, Windows mobile, Apple iphone, RIM blackberry and Android (although this one was not on his sheet).

That was it for today, more tomorrow!

Track and trace SIMs...without consent!

It was brought under my attenti0n that there exists a method to retrieve geographical information on a SIM by knowing only the subscriber's phone number. Phone-hunter is a service that allows you to do just that. Enter the phone number of the subscriber you would like to track and the website returns the area where the SIM was last registered. This area corresponds to an area of a switching center. The details of the method are described here and I will provide a short summary:

Telecom providers need to know where their subscribers are located. To this end, they keep a record of which subscriber is currently located at which MSC. This record is actually queried whenever you send a text message to see where the receiver is at.
To illustrate, when I were to send a text message, the database is queried using the receiver's MSISDN and the query would return the following information:

• The MSC number the subscriber is currently using
  
• The subscriber's IMSI
• Possibly a user error (e.g. "absent subscriber == 'phone is offline')

The database is public for any company that is a 'telecom provider' (which could be in fact any company). A service like phone-hunter will allow you to query this subscriber database given any MSISDN.

Now, the MSC number is unique for each telecom provider and each MSC is bound to a certain geographical region. Given this info it is possible to determine someone's geographical location up to the region of a certain MSC: wicked!
One small challenge is that the mapping from MSC number to geographical location is not readily available, so this is for a lot of area's to be determined.

I can think of a couple applications where this may be interesting (never mind the ethics :)) : tracking employees, tracking wife's, private investigator's doing remote observations, etc.

Yet another smart phone OS coming up

Nokia and Intel have just announced the oFono project.
The oFono project is aimed at designing an open-source infrastructure for telephony (GSM/UMTS) applications. oFono is licensed under GPLv2 and it includes a high-level D-bus API for applications.
Here is a high-level view of the infrastructure:
Looks like Nokia is eager to follow google's Android open-source concept. I am excited about this, since open-source allows for easier and better forensic tool development and hopefully more generic solutions.

I guess Nokia prefers to bet on two horses since Symbian is losing ground in the smart phone market.

Mobile Forensics World 2009!

Anyone interested in the state of the art in mobile forensics, visit the MFW 2009 28th of May:
http://www.mobileforensicsworld.com/default.aspx

I got lucky and have the privilege of attending this conference. There are lots of interesting topics like low-level iphone forensics, blackberry forensics and some talks on GPS forensics.
After the conference, I will write some hightlights on this blog.

The nokia 1100 mystery unfolds

This article hits the spot.
Unfortunately the website is in Dutch, so some of you will not be able to read it.
In short, it summarizes the claims made about the possible reasons why the 1100 would be so popular (like opening cars with it...) and how little evidence there is to prove the claims.
Particularly, the part on Ultrascan, the company that issued the initial statement on the 1100, is interesting. It appears UltraScan is not even registered in the chamber of commerce and their claims on their website about their size and reach are possibly false. Why then should people take Ultrascan statements seriously...