ABSTRACT
It is known that grew up with
the increased use of mobile devices, cyber-crimes in these types of
applications multiplied, forensic science has evolved so that the techniques
and tools become more specific to certain types of platform.
The use of scientific methods
for preserving, collecting, restoration, identification, documentation and
presentation of digital evidence is what we call computer forensics.
What you should know:
- Readers, for you to
understand these items, you just need to have a little knowledge about the
rationale behind the technique and analysis of forensic.
- Knowledge of iOS.
- Concepts of
"Forensic Investigation".
- Information about the
device on which you will apply the method.
What you will learn:
-It will
increase their knowledge in the area of preparation and effective methods for
applying forensic peripheral.
* Know the best tools for
iOS devices.
* Standardized technique to
avoid errors.
* Compare software to know
which is best for each case.
* Learn the key concepts in
a simple manner.
- At the end of the
reading, you will understand how to iOS forensic analysis works.
INTRODUCTION
One of the fundamental principles of forensics is the
Locard Exchange Principle. According to this principle , anyone, or anything
that enters a crime scene carries something of the place and leave something
behind when part . In the virtual world of computers , the Principle of
Exchange of Locard is still valid ( or at least part of it) : wherever the
attacker will he leaves traces . These traces can be extremely difficult or
virtually impossible to be identified and followed, but they exist . In such
cases, the process of forensic analysis can become extremely complex and time consuming,
requiring the development of new technologies for searching for evidence .
Any digital information able to determine that there
was an intrusion or originates any link between the attacker and the victim or
between the invasion and the attacker, could be considered as evidence .
The researcher must be able to identify the evidence
from the information previously collected by him.
DIGITAL EVIDENCE, INTRODUCTION
ü Digital
evidence is information in digital format capable of determining if a computer system
has suffered a violation, or that provide a connection to the victim or with
the attacker.
ü Evidence
of this nature can be duplicated exactly.
ü You
can verify that change with the right methods.
ü They
are highly volatile and may be modified during the analysis if the proper
precautions are not taken.
PRINCIPLE OF EXCHANGE OF “LOCARD”
Every person who goes through a crime scene leaves
something of himself and takes something with him.
Similarly, any person who commits a digital crime,
leaves traces on the compromised system. The tracks can be difficult to follow,
but there are.
METHODS AND PROCEDURES STANDARDS
• Simplify the process of collecting, storing and
analyzing evidence.
• Minimize the panic and negative reactions in
circumstances that expertise is conducted on high levels of stress, avoiding a
possible involvement of the evidence.
• Contribute to validate the evidence collected in a
criminal prosecution.
• Requiring a planning phase for its correct
implementation.
METHODOLOGY FOR THE TECHNICAL INVESTIGATION
• Collecting information.
• Recognition of the evidence.
• Restoration, documentation and preservation of
evidence found.
• Correlation of the evidence.
• Reconstruction of events.
PREPARATION
ü Definitions
of policies to be followed and actions to be taken during the expert.
ü Preventive
measures to avoid compromising the computer system.
ü Monitoring
to detect incidents when they occur.
ü Choose
the most appropriate tools for data collection and analysis evidence.
TOP iOS Forensics
ü There
are other tools that help us in the task of performing a forensic analysis on
iOS devices, so I will quote the best:
ü AccessData
MPE+, iXAM, XRY, Neutrino AccessData Forensic Toolkit, iXAMiner, Lantern,iPhone
Backup Analyzer, Neutrino,SecureView,SD Flash Doctor.
TOOLS FOR IOS FORENSICS
Readers, these tools are for better efficacy in
forensic computer expertise, I will quote some of the most known and used
analysis software and techniques for collecting digital artifacts.
Forensic Toolkit® (FTK®): “Recognized around the World as the Standard in Computer Forensics Software
FTK is a court-accepted digital investigations
platform that is built for speed, analytics and enterprise-class scalability.
Known for its intuitive interface, email analysis, customizable data views and
stability, FTK lays the framework for seamless expansion, so your computer
forensics solution can grow with your organization’s needs”.
More information: http://www.accessdata.com/products/digital-forensics/ftk
“BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, iOS devices (iPhone, iPad, iPod Touch) and Windows computers. It is compatible with all leading logical and physical forensic image formats”. BlackBag Technologies
More:
https://www.blackbagtech.com/blog/category/blacklight-forensic-software-blackbag-technologies
“Elcomsoft iOS
Forensic Toolkit (Enhanced Forensic Access to iPhone/iPad/iPod Devices
running Apple iOS).
Perform the complete forensic acquisition of user data
stored in iPhone/iPad/iPod devices running any version of iOS. Elcomsoft iOS
Forensic Toolkit allows eligible customers acquiring bit-to-bit images of
devices’ file systems, extracting device secrets (passcodes, passwords, and
encryption keys) and decrypting the file system image. Access to most
information is provided instantly”.
Cellebrite:
“The complete solution for Apple devices running any version of iOS! The
Cellebrite UFED Series allows extraction of appropriate data for forensic
decryption and technical research and analysis for current and deleted data
from these devices.
IOS devices: iPhone 2G, iPhone 3G, iPhone 3GS, iPhone
4, iPhone 4S, iPhone 5, iPod Touch 1G, iPod Touch 2G, iPod Touch 3G, iPod Touch
4G, iPod Touch 5G, iPad Mini, iPad 1, iPad 2, iPad3, iPad 4, others.
Different ways to perform data extraction:
Logical and file system extraction (for jailbroken
devices) enabled the UFED Touch.
Physical extraction and file system (for locked
devices) enabled the UFED Physical Analyzer”. More: http://www.elcomsoft.com/eift.html
Oxygen
Forensic® “ is a mobile forensic software that goes beyond
standard logical analysis of cell phones, smartphones and tablets. Using advanced
proprietary protocols permits Oxygen Forensic® Suite 2013 to extract much more
data than usually extracted by logical forensic tools, especially for
smartphones”.
More: http://www.oxygen-forensic.com/en/
MPE+ Mobile
Forensics “Software Supports 7000+ Devices, Including iOS®,
Android™ and Blackberry® Devices, as well as Devices with Chinese Chipsets.
Mobile Forensic Examiner PLUS (R) is AccessData’s
market leading stand-alone mobile forensics software solution that delivers an
intuitive interface, data visualization and smart device support in a single
forensic interface. MPE+ supports even the most challenging mobile device
profiles and features advanced carving, deleted data recovery, SQLite database
browsing and filtering options. Furthermore, MPE+® images integrate seamlessly
with Forensic Toolkit ® (FTK ®) computer forensics software, allowing you to
correlate evidence from multiple mobile devices with evidence from multiple
computers within a single interface”.
More:http://www.cellebrite.com/mobileforensics?gclid=CIGazMmImL0CFWxp7AodmREAvA
Analysis on mobile devices
• The analysis
should be performed on a copy of the original data. the original data must be
properly protected. The copy should be bitwise with the aim of preserving and
removed files other information.
• The information
collected copies thereof shall be certified using cryptographic signatures.
• The analysis of
raw data from disk and memory is too slow. The use of tools for recovering
files and dump process can streamline the analysis.
• a testing
environment may be prepared to assist in the procedure analysis.
• The entire
process should be documented.
CONCLUSION
Forensics on mobile devices is one of the aspects of
Information Security that draws enough attention from corporations, common
users and members of the scientific community, despite the various tools
available that greatly facilitate the action of the expert, the final
conclusion still hangs on experience and integrity the professional who
conducted the investigation.
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.