iPhone Forensics

Mobile phones these days are essentially computers and are increasingly a magnet for criminal activity. Corporations and individuals need take seriously the threat against these devices. And e-forensic investigators need to learn new techniques and devise tools to combat this threat. (Hint: Take a look at viaForensics’ work on iPhone and Android forensics).

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer’s account…

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information…

These risks will continue to grow in the coming years as more mobile devices are used to execute financial transactions…

via Identity Theft Coming to a Mobile Device Near You.

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

viaForensics’ CIO, Andrew Hoog, earns Certified Computer Examiner designation

Chief Investigative Officer of viaForencis, Andrew Hoog, recently obtained his (CCE)® certification from the International Society of Forensic Computer Examiners

Chicago, Feb 19, 2010 –  The CIO of the computer/mobile forensic and e-discovery firm viaForensics, Andrew Hoog, has earned the Certified Computer Examiner (CCE) designation awarded by the International Society of Forensic Computer Examiners, an internationally recognized professional organization dedicated to upholding standards in the computer forensics community.

CCE certification is awarded to individuals who demonstrate knowledge and proficiency of skills related to the practice of digital forensics. Applicants for certification must complete an approved amount of training or professional experience and pass a four-part test.

Mr. Hoog adds this recognition to his list of credentials which includes the Global Information Assurance Certified Forensic Analyst (GCFA) designation and membership in the International High Technology Crime Investigation Association (HTCIA).

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

# # #

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

viaForensics CIO speaks on iPhone and Android Forensics at The Midwest HTCIA Chapter meeting

CIO of viaForensics, Andrew Hoog, spoke about the challenges of digital forensics on the iPhone and Android platforms

Chicago, Feb 17, 2010 –  Andrew Hoog, CIO of viaForensics, spoke last week on the challenges of performing digital forensics on mobile devices. He spoke to an audience at the meeting of the Midwest Chapter of the High Technology Crime Investigator’s Association (HTCIA). His talk focused specifically on the challenges presented by iPhone’s platform and touched briefly on the new Android platform.

Andrew Hoog is the author of a groundbreaking white paper on iPhone forensics that has gained recognition throughout the industry. In the paper, Hoog reveals the vast amount of personal information stored on Apple’s iPhone and reviews six specific products and techniques for retrieving this information.

The HTCIA is a non-profit professional organization focused on the prevention, investigation and prosecution of crimes involving advanced technology. The Midwest HTCIA Chapter holds bi-monthly meetings and hosts presentations of relevant topics.

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

###

With 10’s of millions of iPhone, rife with personal data and always connected to the Internet, it will be (is) an irresistible target for malware, spyware, identity thieves and more (you get the idea):

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

via First iPhone worm discovered – ikee changes wallpaper to Rick Astley photo | Graham Cluley’s blog.

As more and more consumers use smart phones and the thousands of apps in the various market places, I am very concerned about an increase in identity theft, spyware, malware, etc.  I understand Apple’s code review process is rigorous but as with any highly competitive market, everything happens fast.  Will Apple, Google and others do enough to protect their users or will speed to market win (and consumers lose)?

A maker of some of the most popular games for the iPhone has been surreptitiously collecting users’ cell numbers without their permission, according to a federal lawsuit filed Wednesday.

The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers.

via Backdoor in top iPhone games stole user data, suit claims • The Register.

While it is possible to recover video files from the iPhone 3GS, it is not a simple task. After considerable research, here’s what I’ve found:

1. Partial recovery is possible
2. Metadata recover (date/time, GPS, etc.) is also possible even if the video is not recoverable
3. Due to wear-leveling algorithms, recovery of the full videos is not always possible.

Point 3 is what is really making things difficult.  The larger the the file is, the more fragmentation occurs which Apple (and other vendors) implement in an attempt to use the storage evenly to avoid disproportionally wearing out parts of the drive.  One researcher I collaborate with stated:

“The spare data at the end of the blocks holds the key.  We at least figured out that the available data sheets are wrong.  We can piece together information based on available logical sector numbers, but they are sometimes missing or corrupted.”

A lot of research will have to go into the closely guarded wear-leveling algorithms different vendors use in order to recover the larger files.

Also far as the specific 3Gs video file format, we pieced together the file signature/magic numbers for the file format.  They are:

Header: 0000 0014 6674 7970 7174 2020 0000 0000

Footer: 2f00 0004 0066 7265 6500

After the footer, there is a series of all 0’s but we have not determined if it is a fixed amount or dynamic based on file size.  Stay tuned for more updates.

Details of the SMS exploit for the iPhone will be released today at the Black Hat conference.  Apparently, Apple was notified 1 month ago but no word yet.  Android was also vulnerable but had been patched but apparently Windows Mobile is still vulnerable.

There will be a paradigm shift in the near future as people realize their mobile devices are full blown computers with enormous personal information about you and your company available.  It’s also perpetually network…that’s the point.  Phone, SMS, Internet, WiFi…it’s online and powerful.  When you combine all the personal data with literally billions of devices on the market, it’s a target that will be diligently exploited at every corner.  Details below:

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

via Your iPhone: Soon to be iPwned? | TechBlog | Chron.com – Houston Chronicle.

Recovering deleted text messages on the  iPhone… it isn’t easy, but it is possible.  Once a SMS or text message is deleted it remains stored, although hidden, on the iPhone for a period of time.  The storage of the deleted text message is not permanent because it is eventually overwritten with other data.  The greater amount of use between deletion and recovery of the text message decreases the chances of recovering the text message.

There are a number of iPhone data extraction devices and techniques available but most of those don’t recover deleted text messages.  See iPhone Forensics – White Paper.  The different and emerging versions of the iPhone make the recovering of deleted text messages or SMS messages all that much more difficult.  Different code and software is needed when working on different versions.

The are two main ways the deleted text message may be recovered one is by extracting the deleted message itself.  A more time consuming method is to review all screen shots saved by the phone and then recovered using an extraction technique.  This is time consuming because the information is in the form of an image and cannot be searched and must be manually examined.

Unless you know you are using the correct procedure based on iPhone model and version you could mistakenly permanently remove the information you are attempting to recover.  Therefore it is important to have someone with experience in this area before attempting to extract the deleted text messages.  viaFORENSICS has this kind of experience.

The Apple iPhone is unlike most smart phones on the market in that trained experts can successfully recover deleted text messages (and other deleted items), provided certain steps are taken. The below steps will help ensure you have a total recovery of the deleted items you want.

Stop using the iPhone immediately
First, time is everything. If possible, completely stop using the iPhone. Place the iPhone in airplane mode or turn it off. Or you can remove the SIM card if you prefer. The longer you the use the iPhone, the less likely a full or even partial recovery is possible.

Do’s (or Steps to follow to maximize recovery of deleted text messages)

1. Stop using the iPhone immediately.  Turn the iPhone off, place in airplane mode or remove the SIM card.  Yes, I am repeating myself but this is the most important thing you can do.
2. Make a backup of your *iPhone backup directory* (not your iPhone but your existing backup directory on your computer).  Valuable information from a previous backup (which occurs when you upgrade the iPhone OS or specifically request a backup) can contain the information you need.  See my previous post about iPhone backups for more information.
3. Contact an iPhone expert who can perform the recovery.  We use various techniques including:
   1. Forensic imaging and analysis of the iPhone (admissible in court if needed)
   2. Recovery of deleted records in the SMS database if present
   3. Examination of the keyboard cache files for outbound conversations
   4. Recovery of iPhone screenshots which may contain images of the text messages
   5. Full indexed search of the iPhone user data partition using powerful searching tools

Dont’s (or Things to avoid when trying to recover deleted text messages)

1. Avoid using the iPhone, at all.  (do you see a theme here)
2. Don’t sync or backup the iPhone (let the expert take care of this)
3. Don’t install new applications from the App Store
4. Don’t modify/examine the files in your backup directory unless you know how
5. Don’t forgot to call the expert as soon as possible.

Often times, people approach us weeks or months after they text messages have been deleted.  While we are able to sometime make partial recoveries (message fragements), full recovery at that point is nearly impossible.  However, if your text messages are deleted and you follow the steps about immediately, I guarentee full recovery or we’ll provide a 100% refund on the fee we charge.

If you are interested in this topic more, please check out our free iPhone Forensics white paper, contact us at 312-283-0551 or complete the form below.  Good luck and should you need to recover a deleted text message (or other file from the iPhone), we hope to hear from you.

*Name:
Title:
*Company:
Telephone:
*Email:
Subject:
Message:

Good news for those of us in the business of computer/mobile forensics – latest web applications and trends are to cache (even more) data to the device.  This will make the recovery of potentially important data/evidence easier, provided you have the proper training, tools and technical knowledge.  The latest upgrade to GMail provides these types of changes and is likely just the beginning:

These features include a graphics tool called Canvas, “persistent storage,” and an “application cache,” explains Shyam Sheth, product manager on Google’s mobile team. Canvas is something of an alternative to the popular Adobe Flash software that’s commonly used to create graphics and animation on the Web. Persistent storage provides a way for data, originally on a remote server (such as Google’s e-mail servers), to be stored locally, on the device. The HTML 5 application cache keeps important information about an application on the device that allows it to open quickly, as if it were running directly on the hardware instead of remotely. The iPhone version of Gmail uses only HTML 5, whereas Android uses a combination of HTML 5 and Gears (a Google software add-on that enables its Web apps to run offline).

via Technology Review: Gmail Sidesteps the App Store.