VIDEO
HIGHLIGHT
Log InSign up
Mobile and Embedded Forensics 01 00 1 44 59
SummaryTranscriptChat

Mobile and Embedded Forensics 01 00 1 44 59

Introduction to Mobile and Embedded System Forensics

Overview of the Lecture

  • The lecture is introduced, highlighting its relevance and the speaker's expertise.
  • The speaker, Inspector Sanvic, is a part-time PhD student in Information Security Communication Technology and works at Krios.
  • The focus of the lecture is on mobile and embedded system forensics, with insights drawn from a textbook authored by the speaker.

Structure of the Lecture

  • The presentation will cover:
  • An introduction to embedded systems and mobile phones.
  • Data collection methods.
  • Examination processes for data analysis.
  • A wrap-up discussion at the end.

The Ubiquity of Embedded Systems

Presence in Daily Life

  • Embedded systems are prevalent in everyday devices such as fridges, washing machines, and various consumer electronics.
  • Internet of Things (IoT) devices represent a significant trend; estimates suggest around 13.1 billion devices currently exist, potentially rising to 29 billion by 2030.

Digital Traces Left Behind

  • Individuals interact with numerous small devices daily that leave digital traces—examples include access cards for entry systems and smartphones used for travel tickets.
  • Surveillance cameras and base stations capture signals from mobile phones and Wi-Fi networks, contributing to an extensive digital footprint.

Understanding Mobile Phones and Embedded Systems

Definition and Components

  • A mobile phone or embedded system typically includes:
  • Central processing units (CPUs).
  • Random access memory (RAM).
  • Nonvolatile storage components.

Characteristics of Embedded Systems

  • Unlike standard computers, embedded systems often have stricter constraints regarding memory capacity, processing power, and energy consumption.
  • They can operate under real-time conditions—either hard or soft real-time systems—with specific limits on task completion times.

Technical Aspects of Embedded Systems

User Interfaces & Design Constraints

  • Many embedded systems feature limited user interfaces compared to traditional computers; they may only have basic buttons or touch screens instead of full graphical interfaces.

System on Chip (SoC)

  • Smaller systems often utilize a System on Chip design where all essential components are integrated into one microchip. This design enhances space efficiency and reduces power consumption.

Example: ATmega AVR Microcontroller

Features & Longevity

  • The ATmega AVR microcontroller used in Arduino systems exemplifies low power usage while retaining data effectively over long periods—up to 20 years at high temperatures with minimal data loss probability.

Overview of Computer Architectures and Mobile Networks

Key Computer Architectures

  • The 8051 architecture is an older, widely used design, particularly in low-power systems.
  • ARM architecture is prevalent in modern devices, especially smartphones, utilizing a 32 or 64-bit reduced instruction set computing (RISC).
  • ARC architecture is commonly found in system-on-chip designs, with significant production numbers (approximately 1.5 billion units annually).

Evolution of Mobile Networks

  • Mobile networks have evolved from analog (1G) to digital systems like GSM/CDMA (2G), and now to advanced technologies such as 5G and the upcoming 6G.
  • Higher frequency bands in mobile networks allow for increased bandwidth but require more line-of-sight connections due to signal obstruction.

Operating Systems on Mobile Devices

  • Various operating systems run on mobile phones; proprietary OS for low-cost devices include ISA for Nokia.
  • Android dominates the smartphone market with a Linux kernel, while iOS powers Apple devices. Windows Phone has been discontinued.

Applications and User Interaction

  • Applications are crucial for user interaction on mobile devices; examples include messaging apps like WhatsApp and camera applications.
  • The SIM card (now referred to as UICC - Universal Integrated Circuit Card) plays a vital role in network authentication and traffic encryption.

Modern SIM Technology

  • UICC cards store limited data such as contacts and SMS but are increasingly replaced by embedded SIM technology that allows remote provisioning.
  • The structure of mobile networks consists of cells created by base stations, which connect handsets based on proximity to the strongest signal.

Base Station Connectivity

  • Each base station typically covers three sectors at approximately 120 degrees each, facilitating efficient connection management between mobile phones and network infrastructure.

Mobile Phone Tracking and Security Risks

Understanding Mobile Phone Location Tracking

  • Mobile phones continuously update their location information as long as they are powered on, even if not actively used.
  • Multiple base stations can detect a mobile phone simultaneously; triangulation helps estimate its location.
  • A phone may remain connected to a distant base station until the signal strength drops below a certain threshold, affecting accuracy in location tracking.
  • Local variations such as radio shadows can distort coverage maps, leading to connections with less optimal base stations.

Mobile Phone Identification and Malware Threats

  • Each mobile phone has a unique identifier (IMEI number), allowing tracking even when SIM cards are changed.
  • Malware often disguises itself within seemingly harmless apps, like games or utilities, posing significant security risks.
  • Banking trojans can intercept SMS messages to capture two-factor authentication codes, compromising user accounts.

Point of Sale Terminal Vulnerabilities

  • Point of sale terminals are common targets for credit card theft; attacks often involve tampering with hardware to record card details.
  • Instances of physical break-ins may reveal that no items were stolen but rather that skimming devices were installed on terminals.

Hardware-Level Malware Concerns

  • Malware can be embedded in hardware during manufacturing processes, raising concerns about supply chain security and integrity.
  • Research is ongoing into creating tamper-resistant hardware and methods for detecting hidden malware within electronic components.

Data Acquisition Methods in Forensics

  • An ontology model categorizes data acquisition methods based on their connection to the type of data being collected, aiding forensic investigations.
  • The context of an investigation influences the choice of acquisition method; sometimes immediate access is prioritized over forensic soundness due to urgency.

Contextual Considerations in Data Collection

  • In urgent situations (e.g., crime scenes), investigators must balance between preserving data integrity and obtaining critical information quickly from devices like phones.
  • Different abstraction layers exist for data analysis; higher layers focus on content while lower layers delve into system-level interactions.

Understanding Data Acquisition Methods in Forensics

Trustworthiness of Data Sources

  • The reliability of data from security cameras is generally high, as suspects cannot tamper with the hardware. This makes such data more trustworthy compared to data from personal devices like phones, which may be compromised by technical suspects.

Factors Influencing Data Acquisition

  • Key considerations for data acquisition include the potential for tampering and the longevity of data retention. The method chosen must account for how long the data will remain accessible.

Abstraction Levels in Data Extraction

  • Different methods of acquiring data operate at various abstraction levels. It's crucial to assess how these methods affect the integrity and repeatability of the extracted data.

Cost Considerations in Forensic Methods

  • Costs associated with forensic methods can vary significantly. Some methods may require substantial upfront investment but simplify post-acquisition work, while others might be quick but demand extensive follow-up efforts.

Comparison of Chip-Off vs Manual Inspection Techniques

  • A spider diagram illustrates that manual inspection operates at a higher abstraction level than chip-off methods, which involve physical alterations to devices. Each method has its own implications for logical alteration and repeatability.
  • Chip-off techniques are costly due to equipment and training needs, whereas manual inspections have no initial costs but can lead to significant logical alterations during operation.

Differences Between Mobile/Embedded Systems and Traditional Computers

  • Mobile and embedded systems differ from traditional computers primarily due to their lack of standardized interfaces and user-repairable parts, complicating forensic investigations.

Importance of Documentation in Forensics

  • Reading system documentation is essential for understanding device functionality; however, it often lacks precision. An example highlights a camera system's misleading retention time setting that did not reflect actual recording capabilities.

Data Storage and Device Isolation

Importance of Data Retention and Device Isolation

  • The discussion highlights that data may be stored for longer than seven days, contrary to initial assumptions.
  • Emphasizes the necessity of isolating devices from networks to prevent unauthorized access, which could lead to remote wiping of data.

Impact of Power Loss on Data Integrity

  • An example is provided where cutting power to an alarm control center resulted in overwriting critical memory due to a backup battery being overlooked.
  • It raises questions about what types of storage might exist within various devices, including peripherals that may have their own storage capabilities.

Security Measures and Risks

  • Discusses potential security measures in place and whether they can be circumvented; poses the dilemma of keeping devices powered for access versus turning them off for security.
  • Questions the existence of hidden communication ports and stresses the importance of considering electrostatic discharge when handling devices.

Handling Devices Safely

  • Advises caution against damaging devices through physical contact, particularly with exposed electronics, while noting that many chips have built-in protections against electrostatic discharge.

Documenting Physical Condition During Collection

  • Stresses the need to record the physical state of a device during collection, including any visible damage or biological traces (e.g., blood).
  • Highlights the importance of forensic traces such as fingerprints or DNA, suggesting collaboration with traditional forensic experts for thorough analysis.

Understanding Flash-Based Embedded Systems

Overview of Flash-Based Systems

  • Introduces flash-based embedded systems with a generic diagram illustrating components like processors and RAM.

File System Considerations

  • Discusses operating systems managing file systems tailored for flash memory versus general-purpose file systems.

Accessing Data from Devices

  • Explains methods for accessing data via applications or services running on devices, including connecting as mass storage or using media transfer protocols.

Advanced Techniques for Data Retrieval

  • Describes advanced techniques such as rooting phones or using JTAG connections to bypass CPUs entirely for direct access to flash memory.

Challenges in Forensic Investigations

  • Acknowledges that some methods like desoldering chips are time-consuming and require specialized equipment, often making them impractical for most investigations.

Physical Acquisition and Break Discussion

Break Announcement

  • The speaker suggests taking a short break, indicating that the session has covered more material on acquisition than anticipated.
  • A consensus is reached to take a 10-minute break, with plans to reconvene at 15:10.

Return from Break

  • After the break, the speaker checks for questions in the chat but finds none. They remind themselves of their position in the presentation (page 18).
  • The speaker briefly discusses student attendance for the semester before stepping out momentarily.

Acquisition Mode Resumption

Overview of Memory Acquisition

  • Upon returning, the speaker resumes discussing memory acquisition methods, emphasizing "in vivo" and "in vitro" techniques borrowed from biology terminology.

In Vivo vs In Vitro Techniques

  • In Vivo: Refers to acquiring data directly from systems while they are operational.
  • In Vitro: Involves extracting memory chips and reading them externally, often requiring physical removal of chips from devices.

Chip Removal Techniques

Chip Off Methodology

  • The chip-off method involves physically removing chips to read their contents; however, it can be complicated by factors such as epoxy glue or solder types used during manufacturing.

Challenges in Desoldering

  • Factors affecting desoldering include:
  • Presence of epoxy glue complicating removal.
  • Types of solder (lead-based or otherwise) impacting ease of desoldering.
  • Underfill materials that may require additional heat or techniques for removal.

Types of Chip Packages

Package Form Factors

  • Two main types discussed:
  • TQFP (Thin Quad Flat Package): Features legs on sides; requires simultaneous heating for safe desoldering.
  • BGA (Ball Grid Array): Contains solder balls underneath; necessitates uniform heating across the entire chip package for effective desoldering.

Desoldering Techniques and Considerations

Heating Methods

  • Effective desoldering requires careful temperature management to prevent damage:
  • Heat should be applied uniformly to avoid bending or damaging components.
  • Specialized tips are recommended for simultaneous heating on both sides of TQFP packages.

Importance of Temperature Control

  • Maintaining a slow increase in temperature is crucial due to different expansion rates among materials involved in soldering/desoldering processes.
  • A rule of thumb is not exceeding a core temperature increase of three degrees per second during these operations. This concept is referred to as a "process window."

Desoldering Techniques and Memory Extraction

Understanding Phase Change Memory (PCM) Desoldering

  • Heating a PCM during desoldering can ruin the memory, necessitating careful handling to avoid damage.
  • Specific solvents are required for different types of epoxy used in PCB assembly; they are not interchangeable.

Lapping Technique for PCB Removal

  • Lapping involves grinding away layers of the PCB around the chip, requiring specialized tools for precision.
  • While sanding paper can be used, a lapping machine is recommended for safer and more efficient results.

Chip Programming and Forensic Reading

  • Chip programmers, although primarily designed for writing data, can also read memory content but require caution to prevent overwriting.
  • The Netherlands Forensic Institute developed a forensic tool called the "memory toolkit" specifically for reading flash memory.

Equipment Used in Memory Acquisition

  • Various equipment is utilized in desoldering processes, including infrared soldering machines and pogo pin connectors that ensure good contact with uneven surfaces.

JTAG: A Standardized Interface for Testing and Debugging

  • JTAG was created to automate testing connections on PCBs, reducing errors compared to manual methods.
  • It allows both external testing of electronics and internal access within chips for programming or debugging purposes.

Advantages of JTAG in Modern Electronics

  • JTAG enables real-time programming while components remain on the board, facilitating easier updates and debugging.
  • The debug mode offers significant advantages by allowing direct interaction with flash memory as if it were part of the CPU's operational environment.

Security Measures Surrounding JTAG Access

  • Despite its benefits, security measures exist such as hidden ports or fusible links that disable access post-testing to prevent unauthorized use.

Understanding JTAG and Acquisition Methods

Overview of JTAG Interface

  • The JTAG interface can implement security protocols requiring a keyword or password for access, making it more secure than chip-off methods.
  • JTAG allows for quicker and more convenient data acquisition compared to chip-off techniques, although not all systems support this method.

Physical vs. Logical Acquisition

  • Distinguishing between physical and logical acquisition is challenging due to hardware advancements; flash translation layers can obscure data from direct reads.
  • Pseudo physical acquisitions are often categorized as in-between methods that yield processed data rather than raw physical outputs.

Operating System Access

  • Higher abstraction layers involve using the operating system for data reading, which requires root access; mobile OS protections complicate this process.
  • Gaining root access may necessitate exploiting local privilege escalation vulnerabilities or booting from alternative devices like USB sticks.

Boot Sequence and Recovery Modes

  • To bypass standard OS restrictions, devices can be booted into firmware upgrade modes (DFU/recovery mode), allowing custom boot images to be flashed.
  • Recovery modes may enable direct read/write operations on partitions without needing to boot the full operating system.

Security Measures in Modern Devices

  • Manufacturers prevent users from rooting devices due to security concerns; unlocking the bootloader typically erases user data, complicating forensic recovery efforts.
  • Most modern phones use encrypted storage by default, with encryption keys stored securely and inaccessible for extraction.

Encryption Challenges

  • Factory resets do not delete data but discard encryption keys, rendering the stored information irretrievable without these keys.
  • Applications may also utilize their own encrypted storage solutions, which can have vulnerabilities stemming from poor key generation practices.

Flash Storage Technologies

  • Emerging standards like eMMC provide managed flash interfaces that simplify interactions with storage while still presenting challenges in terms of acquisition methods.
  • Managed flash technologies such as UFS offer improved performance but blur the lines between physical and logical acquisitions due to processed output characteristics.

Understanding Data Recovery from Damaged Devices

Overview of Device Resilience

  • Devices are designed to be restarted frequently, minimizing reliance on RAM and allowing for data retention even when batteries are removed.
  • Reading RAM and booting with new firmware can help recover data, but this often requires root access and specialized knowledge.

Challenges with Damaged Devices

  • Many devices encountered may be damaged accidentally or intentionally; however, complete data loss is surprisingly rare.
  • Fire damage often does not destroy electronics completely due to insulation effects from melted plastic, which protects internal chips.

Water Damage Considerations

  • Water can short-circuit devices but typically does not penetrate the chips themselves; surface damage is more common.
  • When recovering water-soaked devices, it’s crucial to keep them submerged until they reach a lab to prevent oxidation from air exposure.

Mechanical Damage Insights

  • Mechanical damage is difficult to inflict on silicon chips; connections can often be repaired through re-soldering or rebonding techniques.
  • Even severely damaged devices (e.g., shot phones) may still allow for memory recovery if the memory chip remains intact.

Understanding Flash Memory Systems

  • Knowledge of flash memory systems is essential for effective examination and recovery; understanding how flash storage operates is critical.
  • Different types of flash memory (NAND vs. NOR), their uses, and limitations must be understood for proper data management.

Flash Memory Characteristics

  • NAND flash is commonly used for user data while NOR flash retains data longer but is less frequently utilized due to cost and space constraints.
  • Writing processes in NAND flash require careful handling since individual bits can only change from one to zero without erasing entire blocks first.

Data Management Techniques in Flash Storage

  • Updating files involves copying contents into new pages rather than modifying existing ones directly due to the nature of NAND flash writing capabilities.
  • Wear leveling techniques are necessary as blocks have limited write/erase cycles (typically around 100,000), ensuring longevity of the storage medium.

Understanding Flash Translation Layers and File Systems

Overview of Flash Memory Management

  • Writing data across multiple pages is essential to avoid overloading a single page, which is managed by the flash translation layer (FTL).
  • The FTL complicates data retrieval as it may be challenging to distinguish between live data and remnants from previous versions.

Storage Organization in Embedded Systems

  • There are three primary ways to organize storage:
  • Ordinary disk with OS, file system driver, and block device.
  • Ordinary file system with an FTL, commonly found in modern smartphones.
  • Flash file systems designed specifically for flash devices.

Handling Bad Blocks in Flash Memory

  • The FTL must manage bad blocks by replacing them with backup blocks when they fail, ensuring reliability throughout the memory's lifespan.

Log Structured File Systems

  • A log structured file system appends new versions of files rather than modifying existing ones, making it suitable for flash memory.
  • Garbage collection is necessary when free space runs out; it consolidates partially used blocks into new erase blocks for efficient storage management.

Simplicity vs. Complexity in Flash File Systems

  • The Coffee file system offers a simpler approach but lacks advanced garbage collection features, potentially leading to inefficiencies if many writes occur.

Data Carving Techniques

  • Data carving can be useful for extracting specific structures like SMS messages or databases from raw flash devices.

Analyzing Time Stamps in Forensic Investigations

  • An example discussed involves analyzing time stamps from a database that showed unusual behavior—jumping back an hour—which could indicate tampering or hardware issues.

Implications of Time Manipulation on Alibis

  • The suspect claimed battery issues caused the clock anomaly; however, investigators considered whether this was a cover-up for intentional time manipulation.

Summary of IoT System Characteristics

  • IoT systems resemble traditional computer systems but are characterized by low power consumption, compact size, and limited user interfaces.

Forensic Challenges in Data Acquisition

Overview of Forensic Data Acquisition

  • The process of acquiring data from computer systems is often complicated due to the lack of standardized methods for forensic soundness. Documenting actions taken during acquisition is crucial for maintaining evidence integrity and chain of custody.

Risks in Handling Devices

  • Handling devices poses risks not only to the device itself but also to the individual performing the analysis. There are concerns about damaging both personal safety and the hardware, especially when dealing with hostile environments.

Evolution of Computer Hardware

  • Modern PCs increasingly resemble mobile devices, featuring soldered flash memory on PCBs rather than removable chips. This shift indicates a trend towards embedded system designs in computing hardware.

Presentation Summary

  • The speaker concludes their presentation by expressing hope that attendees found valuable insights regarding the challenges faced in analyzing diverse data formats across various devices.

Audience Engagement and Questions

  • Following the presentation, an audience member acknowledges its detail and complexity, highlighting the extensive work required for data analysis across different device types.

Clarification on Embedded Systems

  • A question arises regarding how embedded systems maintain timestamp information; responses indicate variability based on whether processing units have synchronized internal clocks or operate independently without network connections.

Timekeeping Mechanisms in Devices

  • Most processing units possess internal clocks that may or may not be synchronized with local time. Some small embedded systems lack user interfaces and simply count seconds since boot-up without providing accurate timestamps.

Network Connected Devices

  • Typically, network-connected devices include more reliable clock mechanisms that can provide accurate time information within their operating systems, enhancing data reliability during forensic investigations.
Video description

video4