When Computer Forensics & Mobile Forensics Collide
When Computer
Forensics & Mobile
Forensics Collide
Speaker Introduction
• Rob Schroader, CEO• [email protected]• 801-796-0944
• 10 years of experience with digital forensic professionals
• iPhone addict
The Forensics of Things
• What is a Computer?
• What is a Mobile Device?
• What Else Connects to Internet/Social Media?
The Forensics of Things
• iPhone 6 – A7 Processor: • Dual Core 1.38 GHz Processor
• 1 GB LPDDR3 RAM
• 128 GB Storage
• Huawei Ascend Mate 7• Quad Core 1.8 GHz Processor
• 2/3 GB RAM
• 32 GB Storage
• microSD Slot (128 GB)
The Forensics of Things
• My Laptop• Dual Core 2.0 GHz Processor
• 2 GB RAM
• 122 GB Hard Drive
What you do is the same as your suspect does with…• A computer
• Surf the internet
• Type documents
• Games
• A tablet• Play games
• Surf the internet
• A cell phone• Call friends
• Text friends
• Social Media
• Apps, Apps, Apps
Know Your Risks• Device Type
• Computer
• Mobile
• Environment• Weather
• Signals
• People• There is no license to operate a computer/mobile.
Where’s the Data?
•Computer
•Mobile Device
•Mobile Data on Computers
•The Cloud…The Dreaded Cloud!!!
Forensic Rules• Chain of Custody
• First Responder is lab
• Documentation• Set procedures
• Hash Validation• Math is your friend
• Tools & Methodologies• Validate tools before the field
Forensic Tools Questions• Is it read only?
• Yes
• No
• Can I repeat my results?
• What are your validation steps?
Forensic Tools Questions• Is the data verified and if so how?
• What hash values are used?
• Can those values be repeated?
• Are there other validations?
• Was it designed for forensics, and are the images gathered valid?
• Is it a commercial tool that is being used in forensics?
• How is the image file created?
Non-Forensic
• Does Anything Go?
• Preserve Data
• Do No Harm
• Tools You Use
Outsourced vs. Internal
• Costs
• Time
• Capabilities• Tools
• People
• Collection Only?
• Collection Plus Analysis?
Computers vs. Mobiles
• File Systems• Windows (NTFS, FAT – Registry)
• MAC (HFS, HFS+)
• iPhones (iOS – Applications)
• Drives vs. Memory
• Logical vs. Physical
• Amount of Data
Computer Triage• Targeted Collection
• Deleted Data• Is it necessary?
Computer Triage• Chat Logs
• Internet History
• Recent Documents
• Registry Data
Mobile Triage• Logical Acquisition
• Deleted Data• Is it necessary?
• Backup Files
• Call Logs
Mobile Triage• SMS
• Email – Not Likely
• Contacts
• Internet History• Chrome Account?
Computer Triage Example• DP2C
• Targeted Data Collection
• Bootable
• Easy to Use
• P2C Data Triage• Windows Systems
• iTunes Backups
• Mobile Device Acquisitions (DS Case Files)
Computer Triage Example• DP2C
Computer Triage Example• DP2C
Computer Triage Example• DP2C
Computer Triage Example• DP2C
Computer Triage Example• P2C Data Triage
Computer Triage Example• Limitations
• Not Comprehensive
• Registry and System Files
• Time Constraints
Storage Devices• SD Cards
• Used for Computer or Cell Phone?
• Significant Data Storage (128 GB)
• Computers• Documents
• Program Files (QB, Quicken, Photoshop, Flow Charts, etc.)
• Multimedia
• Phones• Photos
• Multimedia
• App Data
Examples
• From Device
• From Computer
Examples
• Apps• Parsed
Examples
• Apps• Not Parsed
Examples
• Drop Box on Computer
Examples
• Drop Box on iPhone
Examples
• Computer Shows• 135 Files
• iPhone Database Shows• 978 Files
• Not All Listed Files Still on Phone
Examples • Mass Storage Devices (SD Cards, USB Drives, Etc.)
Should You Triage?
• Can be Easy
• Cost Savings
• Immediate Results
• Expanded Skill Set
• Anyone Can Do It
Any Questions?