Malware and cyber criminals are increasingly targeting mobile devices, with Kaspersky Labs reporting a jump from under 350,000 to 1.3 million attacks between 2013 and 2014, demand for digital forensics investigators with mobile device expertise is increasing.
However, according to Cindy Murphy, an American within the field, the industry is still relying on tools that are not keeping up to date with the level of sophistication more targeted attacks are exhibiting, “Commercial mobile forensic tools automatically parse some of the data from smartphone extractions, but much more is left behind, unparsed, waiting for examiners to find it. Many people don’t look beyond what is automatically parsed by the tools, and great evidence can be totally missed.”
Murphy, a Detective with the City of Madison, Wisconsin Police Department, is a certified forensic examiner and has been involved in computer forensics since 1999. She has directly participated in the examination of many hundreds of hard drives, cell phones, and other items of digital evidence pursuant to criminal investigations including financial crimes, homicides, missing persons, computer intrusions, sexual assaults, child pornography, and various other crimes and testifies regularly in court about her work.
Murphy suggests that investigators need to refresh skills to understand smartphone data storage mechanisms at the hex level, to manually decode it, to directly examine databases from installed applications, and to be aware of the types of information that commercial mobile forensic tools commonly don’t automatically parse.
Murphy says: “There have been improvements in the security of smartphone operating systems that have made data extraction and mobile device forensics more difficult. This has led to recent claims about the ‘death’ of mobile device forensics. Fortunately, the rumours of the death of mobile device forensics are greatly exaggerated. There is still plenty we can accomplish with the data we can get from commercial and open source tools available to us, there are other data extraction methods, and there are alternative data sources we can leverage.”
With the popularity of BYOD at work, organisations should be aware of the variety of risks that mobile devices can present, but most depend on MDM solutions to manage those risks, without fully testing the capabilities of those solutions, or realising their weaknesses and vulnerabilities. Murphy also points out that smartphones don’t have the same security controls available that are relied upon with more traditional computing platforms.
“Also, mobile device security, no matter the operating system, depends on the users and administrators to keep the device up to date and properly configured. Smartphone users can be vulnerable to phishing, drive-by downloads, malware and spyware, no matter the operating system in place on the device, and so there is a need for well-trained and knowledgeable forensic examiners who specialise in the unique challenges the various smartphone OS’s present.”
Murphy is co-author of the SANS FOR585: Advanced Mobile Device Forensics course which she will be teaching at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague from October 5 to 17.
The six-day course provides the critical skills that focus on smartphones as sources of evidence, providing students with the skills needed to handle mobile devices in a forensically sound manner, manipulate locked devices, understand the different technologies, discover malware, and analyse the results for use in digital investigations by diving deeper into the file systems of each smartphone. Students will be able to obtain actionable intelligence and recover and analyse data that commercial tools often miss for use in internal investigations, criminal and civil litigation, and security breach cases.
Murphy will participate in a panel discussion “Inside Windows Phone 8: Forensic Acquisition and Analysis” on Sunday, October 11. For more on the event visit https://www.sans.org/event/dfir-prague-2015/.
