Hacking Exposed
Page 31
The latest version of Device Seizure allows you to acquire information from literally hundreds of models of cell phones. Currently, the following cell phone plug-ins are available:
• GSM SIM card (logical)
• LG CDMA (logical)
• LG GSM (logical)
• Motorola (logical) Web browser
• Motorola (physical)
• Motorola iDEN (logical)
• Motorola iDEN (physical)
• Nokia GSM (logical)
• Nokia GSM (physical)
• Nokia TDMA (logical)
• Samsung CDMA (logical)
• Samsung GSM (logical)
• Samsung GSM (physical)
• Siemens (logical)
• Siemens (physical)
• Sony Ericsson (logical) e-mail and text messaging
Before starting a phone analysis, remember this: The amount and the types of data that can be acquired depend on the type of the device being analyzed. Usually, the cell phone plug-ins in Device Seizure allow you to acquire the following data:
• SMS (text messaging) history, including deleted messages
• Phonebook, including data from both phone memory and SIM
• Calendar and To-Do list
• Text notes
• Voice notes
• Call history, including numbers dialed, received, and calls missed
• User-created files, such as multimedia, graphics, and music
Although modern cell phones and PDAs share many features, obvious differences exist in the underlying technologies used, and because of this you cannot think of a phone analysis in traditional forensic terms. One of the first major differences is that phone data storage is proprietary and based on the manufacturer, model, system, and other information.
SMS/EMS Data SMS stands for Short Message Service, which to most of us translates to text messaging. Both incoming and outgoing SMS can be saved to the phone or SIM card. When the SMS is saved to the SIM card, it’s encoded to Protocol Data Unit (PDU) format (a Global System for Mobile Communications [GSM]-specified documented format that is used to store the SMS on the SIM card). But when the SMS is saved to the phone, the format is defined by the firmware developers. That means that even the same models of phone can contain SMS messages that are encoded in different formats, and the format of the SMS depends on firmware that is installed on the phone. In the phone, the messages can be stored as one database file, in multiple files (each SMS message in a separate file), or in the EEPROM/user-data area of the NOR flash memory.
MMS Data MMS stands for Multimedia Messaging Service, which to most of us means text messaging with pictures or videos. Because MMS messages can contain multimedia attachments along with a plaintext message, they are generally stored as files within the phone file system. MMS messages can be stored as solid files that contain both the message header (MIME encoded) and the message body and attachments. They can also be split into several files: header, body, and attachments.
Phonebook The phonebook, like SMS, can be stored in the SIM card or in the phone. In the phone, it can be stored in one database or in the EEPROM/user-data area of the NOR flash memory. The data format is defined by the firmware developers.
Calendar and To-Do Calendar and To-Do records may be stored as records in the database files (the format is defined by the firmware developers) or within an EEPROM/user-data area of the NOR flash memory.
Voice Records The voice records format depends on the voice codec chip that is installed in the phone. For example, Samsung GSM phones contain a voice chip that encodes the voice into AdaptiveMultiRate (AMR) format. But the Samsung CDMA phones don’t encode voice data. They record the data directly from the digital signal processor (DSP). The voice records can be stored as files or within an EEPROM/user-data area of the NOR flash memory.
Browser Bookmarks The format depends on the browser used in the firmware. Some of the browsers can save the data to the file system, but, generally, bookmarks are saved to the EEPROM/user area of the NOR flash memory.
User-created Files Most phones limit the user files to melodies, pictures, phone, and video files, but newer phones allow users to upload any type of file. Sound formats are usually MIDI, MMF (SMAF), AMR, MP3, WMA, WAV, and AAC. The standard picture/photos formats are JPEG, GIF, and BMP. The video formats are generally proprietary, but some phones encode video to the Motion JPEG or 3GP format. The video/photos encoding format depends on the camera chip used in the phone. Some of the phones store the pictures/video without any changes—that is, the file remains the same after it is uploaded to the phone. But some phones convert the uploaded files into proprietary formats to reduce the file size, and during the download process the files are converted back into the PC format.
Acquisition of Cell Phone Data
The first step in the acquisition is to make sure the phone is correctly connected to the system you will be using. As with PDAs, this means having the appropriate cable to attach the phone to your computer. If you don’t have the cables that came with the phone you’re working with, you can purchase cable kits from retailers and a Device Seizure cable kit from Paraben.
After the phone is connected to your system, you can start the acquisition using the same wizard discussed in the PDA portion of this chapter. The same interface and dialogs are used, so I won’t waste space by inserting the same images. Refer back to the steps detailed in “Acquisition of a Windows-based Device,” except select a phone, not a Windows PDA. Note that, depending on your selection in the Device Type Selection dialog, the options for what data can be acquired will change in the screen shown in Figure 13-15.
Figure 13-15 Device Seizure’s Data Type Selection dialog set for phone data types
If you chose GSM SIM card as the manufacturer, only one option will appear in the Data Type Selection dialog.
Once the wizard completes, click the Acquire button to begin the process and wait for the acquisition to complete. (A lot of your time in computer forensics work will be spent waiting—don’t let anyone tell you otherwise.) The end result will be a Device Seizure .PDS file.
Analysis of Cell Phone Data
After the .PDS is loaded, you will be able to see the data associated with the device, as shown in Figures 13-16 and 13-17. At this point, you can run keyword searches and bookmark findings for later inclusion in the final report.
To document your findings, you can access the reporting functions by choosing File | Report or by clicking the Report button on the button bar. The software will then prompt you for the report format options as discussed earlier in the chapter. After you’ve saved the file, it can be opened with an editor so that you can add a logo, handling and classification information, and other information.
Figure 13-16 Calendar data
Figure 13-17 Phonebook data sorted by the Name column
Working with Earlier PDA Seizure or Cell Seizure Data Formats
If you have an older copy of either PDA or Cell Seizure that you’ve used to acquire a device, and you upgrade to Device Seizure, you will not be able to open older format files with it. You must first convert the older image and case formats to the current .PDS standard. Luckily, you can use a wizard that does it for you. To launch the converter, choose Tools | Case Converter. The wizard initiates and walks you through the process. First, as shown in Figure 13-18, select Browse to pick the location of the older case. Second, as shown in Figure 13-19, select the case file and click Open. Third, as shown in Figure 13-20, click Yes if you want to open the converted case.
Figure 13-18 Case Converter Wizard
Figure 13-19 Find the PDA Seizure .PDA files or Cell Seizure workspace files
CONCLUSION
After reading this chapter, you should understand that PDAs and cell phones can offer a vast array of potential evidence in any investigation. Today these devices are more than just digital assistants—in many cases, they are high-tech diaries as well as a medium for transacting business. So
me people spend more time with their PDAs than they do with their own children (a fact that no investigator should overlook).
Figure 13-20 You may now open the converted files or not.
PART IV
PRESENTING YOUR FINDINGS
CASE STUDY: WRAPPING UP THE CASE
During and at the conclusion of the ACME Services case, we drafted several reports to counsel that were used to make decisions. With counsel’s advisement, we produced reports and summaries of the evidence found for the US Attorney’s Office and the US Secret Service. We did this so they could understand and re-create what we had found.
He Said, She Said…
Civil investigators need to understand what happens when the line is crossed and the findings become part of a criminal case. No one can testify to facts that were told to them by another party—this is considered hearsay—so the findings must be reproducible and verifiable by other investigators. We carefully document our procedures so other investigators can follow our steps and reproduce the results that we found. When another party re-creates our findings, they have first-party knowledge, which makes the evidence they recover admissible in court.
We carefully documented our methodologies and search terms to aid the US Secret Service so they could reproduce our findings. The Secret Service was then officially involved in a criminal case and had to have first-party knowledge of the investigation’s findings so they could testify on the matter.
The US Attorney’s Office then brought the suspect into court with the Secret Service acting as their witness. With a solid case in front of him, the judge revoked Charlie Blink’s bail and placed him in custody pending trial. The trial was successful for the prosecution, and Blink was found guilty. Charlie Blink remains in prison today.
CHAPTER 14
DOCUMENTING THE INVESTIGATION
After you complete an investigation, you must deal with the most nontechnical part of the process, commonly viewed as the least entertaining part of the job: reporting. Reporting is, however, one of the most crucial parts of an investigation, because if you cannot clearly relate the facts of the matter to your audience, all of your hard work will be for naught.
READ ME
Your report is the one common tool that you and nontechnical people will use to discuss and understand your findings. Being able to write a clear, concise, and factual report is one of the more difficult aspects of the job for a technically oriented person, because your audience is usually not technical, so they will not understand all the terms and technology that you have employed in your investigation and may not be able to understand the impact of the “smoking gun” you found.
Such communication can be difficult. You must use care in your explanations to be sure that what you report can be understood and supported with evidence. If, for example, you tell someone what you know to be true based on the evidence you reviewed, you must make sure that your evidence proves what you say. Assumptions can lead to lawsuits for negligence or criminal complaints if your opinion is not based on hard, reliable evidence.
Events that can be reconstructed, re-created, or at least given credibility through some outside source are the only events you should represent as facts in a report. No matter how convinced you are of someone’s intentions, motive, or guilt, it is your place as the forensic examiner to report only what the evidence tells you. You can offer your opinions during a conversation about the case, but you must not document these opinions in your report unless they can be based on facts. Your expert opinion is based on the facts you are able to ascertain from the evidence, not based on other assumptions. Documenting opinions that are not based on factual evidence can be used against you at a later time.
Different types of reports are used for different situations. The type of report you are asked to generate should indicate the magnitude of the work you are about to undertake. While an internal report to your manager may be informal and represent basic facts, an expert report to the court must be prepared with care and submitted only when you are confident with each fact and opinion you have put to page.
The reports discussed in this chapter are shown in Table 14-1.
In every kind of report, some specific items should be considered or included. Screenshots and any other illustration or visualization that you can provide are extremely helpful. Not all managers, attorneys, or judges are technically savvy and many have never before handled digital evidence. The more straightforward your evidence and the more support you give for evidence through visual representations and reconstruction, the more compelling your argument becomes.
Table 14-1 Types of Reports
INTERNAL REPORT
The internal report is by far the most common report you will create. While the internal report is not a formal representation to the courts, it is a serious document. When you finish an internal report, it normally is first reviewed by your manager and then, if action is warranted, is passed on to your general counsel. The general counsel (your company’s head internal attorney) may decide to take legal action against some person(s) depending on what you documented in your report.
Always explain every detail clearly to your attorney, whether he or she is internal to the company or from an outside firm, as the need to understand any legal assumptions or risks that may result from the evidence used for your report is paramount. All communication with the attorney and documents that you create at the direction of your attorney are held as attorney-client privilege. This means that whatever you tell your attorney is going to remain private and will not be presented to the opposing counsel as evidence. However, if legal action is undertaken, you may be asked to create a declaration or affidavit that restates your findings for the court. Anything you produce in these documents will be heavily scrutinized by the opposing counsel.
In some cases, you may be acting in a consultative role for the company. Many companies choose to hire outside consultants either to verify an internal investigation or to handle the investigation completely. The most common reason for hiring outside the company is that employees who perform the internal investigations can become fact witnesses. This means that the employees can be subpoenaed by the opposing counsel or by their own attorney to testify their first-person knowledge of events in front of a judge. This can be a risky endeavor, as an employee will always know more personal and nonrelevant information about a coworker, and this can be used by opposing counsel to claim a bias against the suspect.
When acting as a consultant, you should always follow the general principles of internal reporting: create clear, concise, and informal reports that explain in detail the matter at hand. Obviously, as a hired consultant, a higher expectation of quality and professionalism is expected, as this is hopefully the product of a well-paid and well-qualified consultant. As a consultant working at the direction of the attorneys, you also are covered by attorney-client privilege—any communication and work product created for the attorneys cannot be subpoenaed by the opposing counsel.
However, as a legal case enters the system, you may become what is known as an “expert consultant” or “expert witness.” Be aware of an important and distinct difference between these rules. An expert consultant acts in an advisory role to the attorneys and is covered by attorney-client privilege. An expert witness does not have this privilege; all communication that is relevant to the case at hand, whether created during or before your appointment as an expert witness, is discoverable. This includes conversations of which you are a part or that you have overheard; e-mails you have sent, received, or been CC’d; and any reports you may have created. Make sure that you communicate to your attorney early and often about your role in any litigation to make sure that you both understand the impact of your report. While an early doubt expressed in a report may be clarified and reinforced at a later date, the documented existence of the doubt can be used against you by the opposing counsel.
Construction of an Internal Report
Some forensic tools such as ASR Dat
a’s SMART, Guidance Software’s EnCase, Technology Pathways ProDiscover, Paraben’s P2 suite, and AccessData’s Forensic Tool Kit allow you to create reports. The reports generated by these tools are normally collections of bookmarked evidence that you have noted during your investigation, along with the structure of the disk in question, some information about the image itself (such as the MD5 hash), and any notes you might have created during your investigation. While this is valuable information and contains key evidence that will support your report, it should not be your end product.
Most internal reports begin with a statement describing the specific situation. Oftentimes, this is encompassed in an executive summary, a summary of the facts written at a high level that an executive from your company or your client should be able to read to ascertain what you have done. An executive summary might look something like this:
I, Ima Investigator, was asked to investigate Mr. Suspect by Ms. Supervisor in regard to Mr. Suspect’s e-mail communications with competing companies. I was requested by Ms. Supervisor to create an image of Mr. Suspect’s computer system on this date. The following report serves as a summary of my findings.