Ask the Expert: Amber Schroader of Paraben Corporation

Recently, Amber Schroader, the CTO of Paraben Corporation, joined us for a well-attended webinar, Six Keys to Conducting Effective Mobile Forensic Investigations. A number of our attendees had questions that we wanted to capture here along with Amber's answers.

What do you recommend when dealing with the drivers on pay-as-you-go devices?

When doing smart devices with pay-as-you go providers, you typically do have to work with different drivers that come from that provider. For example, a Tracphone pay-as-you-go Android will have different drivers than the standard Android device that was released to Verizon. I work a lot in virtual machines, which is nice because I can roll back drivers through the VM. However, when I work on standalone systems for my examinations, I have a separate system that I don’t work with a full driver pack on and I only install drivers as needed, which is where I do my pay-as-you-go devices. I will blow a fresh image to this machine after each device to ensure all conflicts are removed. Those conflicts in drivers are what will stop most of the pay-as-you-go devices from processing.

What do you do with feature phones like Nokia, Samsung, LG, and Motorola?

I follow the same process with all the devices--smartphones or feature phones-- which means physical, logical, and then accessories in processing. I'm still receiving a good percentage of feature phones with the cases that I will work as they are trending up in popularity.

What kind of information can you get from cell tower records? 

Typically you can get the longitude and latitude of the call details from the device, as well as date and time stamps. It's a great way to get reference points to where calls would have been geographically made. I'll take this data as well as data from a device if the location services were turned on, which will allow you to pinpoint geographic location for the calls, etc.

What is the value of IP Box? Does it work?

An IP Box is a brute-force attack for iOS devices and there are devices, as well, that work with Android. We have tested a few of the options out there and have had mixed results; on 3 out of the 5 devices we tested were bricked upon using the IP Box which was a really high risk as the device if it were evidence they would have been destroyed. The other problem is the flaw that the IP Box typically exploits with the iOS versions was patched, so it will not work with updated devices. The problem with encryption will plague us forever as it always has. I guess the examiner needs to keep that in mind before they get caught up in a trend that might be able to help with one case but not be able to help them long term. I think the IP Box approach as it stands is a short term patch not a long term solution. The FoneFunShop in the UK will preview and make available a lot of these type tools and examiners can look there for details.

What is the process you recommend for working with a device, what steps for logical to physical, etc.?

With most of my examinations, I typically try to work with the device physically, then logically. The reason I do this process is because if the device is encrypted, a lot of times you can get around the encryption with the physical methods and even in some cases do a simple text search for “password” and then find the password for the device that is needed for the logical image. After I have both of those images, I then will process the media card and SIM card separately so I can review that data as well. If I have CDR records, I will add that into the processing, too.

Many investigators uncover data that is encoded, but confuse it as encrypted. Can you discuss the difference?

Encoded data is data that needs an interpreter to be able to have us understand what it is saying while encrypted data is data that has been converted to cypher text. Thinking of it like a puzzle with the encoded data we have the box and we have to reference the box to be able to make sense of the pieces. With cypher text we have a variety of puzzle pieces from a variety of puzzles mixed together and we have no box for reference.

Which devices do you see are emerging as the most difficult to deal with for digital forensics?

Smartphones are still the hardest with the encryption changes and the cloud storage capabilities.  The other area that is always difficult with them, and that we are seeing such a strong push in, are the burn phone or pay as you go market with smartphones and they all are flashed differently than what we see from the standard telecom versions.

You talked about manufacturers like Apple and their position on encryption and law enforcement – how do you see these affecting investigations?

I think as the manufacturers pull more to privacy instead of investigations, it's going to get harder and harder for us to gain access to the device. We will start doing a lot more monitoring and even live capture in investigations or have to work more and more with backup records and gain access to records in the cloud.

Is there any rooting kit that is recommended over another? I'm thinking in terms of forensic soundness and reliability.

Each rooting option is typically custom based on your tool selection for acquisition. With all acquisition tool methods, you should validate and check how they are processing the device.

Does a device in DFU mode still require a user pin/password for acquisition?

No, it's no longer needed. However, please note the restrictions on what devices support DFU mode.

Is there any particular rooting kit, for example Kingo for Android, that is recommended over another

For rooting a device, it will depend on the method used by your acquisition tool. Most of them choose to design their own root method. Rooting a device will not change access unless that is the technique used by your acquisition tool.

Any solutions for Chromebooks?

Chromebooks are an odd hybrid in devices and for us are currently being researched for support addition. We've had difficulties with some of the encryption that is found by default on the device and are working to get around those barriers.

Are Blackberrys still the most difficult devices to crack?

BlackBerry devices are still very difficult to work with. The reason is they still are a very clean device. Even when working with the new 10 devices in Device Seizure, we have to work with them through doing a backup record and then parsing that record. However, the one part that has improved is that the newer BB devices do use Android Apps so the parsing of that data is easier than when they worked 100% proprietary.

Is there any way to analyze BlackBerry RAW data for analysis (malware for example)?

BlackBerry devices are not as easy to do a physical image to get a RAW image. We have very limited capabilities in this area as most companies do. This does prohibit you from being able to do some of the file system analysis you need to be able to do for malware detection. With all BlackBerry devices, the support changes by model so it is something to check and make sure the file system acquisition is supported to be able to do that type of scan.

How effective are factory resets in truly wiping all data?

Most of the data is cleared in a factory reset, but it's always good to go back and check. I do an image before and after and compare the data to make sure all user-oriented data has been removed from the device.

I noticed that since Apple Devices like to power up upon plugging in, I guess if you're going to put it into DFU mode you should do it in a box. After it goes into DFU mode, is it active with a network?

It is no longer active on the network when it is in DFU mode. You do have to power it off completely to get it to go into DFU.

Can a VM assist in minimizing driver conflicts between pay-as-you-go and contract phones?

Yes, virtual machines can be a good tool to work with all the changing drivers with mobile devices. I use the rollback functionality with my virtual machine to be able to adjust for the different drivers.

How about encrypted iTunes backup?

iTunes backups can have encryption that is separate from the device encryption. Depending on the version of the device that you are dealing with, you can get around this encryption through a physical image done through DFU mode. There are also third-party tools that can break this encryption, such as Elcomsoft and Passware.

I know there are many tools available on the market, do you know of or would any of you have plans to integrate tools such as Oxygen, or the way they parse data and some of their viewers into EnCase Forensic?

I know that we do not have plans to integrate with Oxygen. Integrating with a tool like EnCase Forensic makes a lot more sense. For our approach, as it stands, we read other tools image formats into Device Seizure so that you can cross validate, etc.

Also, is putting a device into airplane mode a viable option instead of using a Faraday device or 30 sheets of foil?

Airplane mode is a viable option in a lot of cases, but if I know I'm working with evidence that is set to go to court, I still prefer to use the Faraday cage option to ensure I have the best protection. Since I did not design airplane mode on the device, I cannot testify to what it is doing and whether it's 100 percent blocked from activating any signals on the device. I like to have the strength of the physics behind me by using a Faraday cage.

Taking off your vendor hat, can you compare the offerings from the leading mobile hardware acquisition device providers?

There are a lot of advantages and disadvantages to every tool. It's like looking for the perfect car. You'll always find something you wish you had. What I do to really break down the tools is I run them through my test plans and then rank my tools based on how they did in the test plan. I then will process through devices based on the tools capabilities for that type of device. I will always process the device with both my tier 1 and tier 2 tool and then check the results as you never know if one tool will see something the other does not. I think it is a mistake for a lab to just have one tool with any type of examination but especially when it comes to mobile devices because they are so diverse and difficult to deal with. If a tool does not pass my test/validation plan I do not use it.

What signals can the mobile device receive that need to be protected against when there is no internet or cell service connection, or those services have been turned off?

I believe in covering yourself with the device signals, because it's something you literally cannot see that will destroy the evidence.  I always use a Faraday device when processing if I know that the device needs to be maintained as pristine evidence. Some of the civil cases I deal with just want the data and have already not maintained it properly so for those devices my SOP I put in airplane mode. Bluetooth and possibly IrDA for older phones are the most common signals outside of internet and cell service.

Is there any listing anywhere that has a continuously updated list of devices and whether they can be physically imaged / logically imaged.  Or just any particular quirks with a model?

There is no general listing for that data as it is about the capabilities of the tool you're using on what it will support with each device. Guidance Software and my company, Paraben, maintain a current list of all the supported models and device profiles we support and what is supported with each, but this list becomes outdated as soon as new phones are released, so we often support more devices than are on our own list. I am guessing many of the other tool companies maintain a similar list and you just have to request it.

What are your views about time constraints in an investigation since every device may be different and you advise to keep trying to get to the data?

With time constraints, I would recommend you work with a logical image in most cases. The advantage with the logical image is that with smart devices they contain a lot of deleted data in the logical structure because the data in a database. It is the fastest acquisition option that will yield you the highest results if you do not have the time to do all the available processing on the device or are experiencing problems with full physical imaging.

Can you discuss best practices in working with iOS 7 and 8 passwords and how to work around them?

With a lot of the later iOS devices there are just not a lot of options out there. I discussed both password recovery with software and with hardware in a few of the other questions; both have risks. In the end this is a problem we will be facing for a long time with us as investigators simply being locked out of the device by the manufacturer.

Do you have any advice for by-passing PINs?

For bypassing PINs there are a few options out there.I look at FunFoneShop in the UK for a lot of the flasher style attacks. I have answered another question about IP boxes as they are the latest trend. With all the bypass hardware options, be very careful as I have had them brick the phone before. It requires testing and you need to weigh the risk to reward. For software options I have used both Elcomsoft and Passware tools with good results with both. The software has less of a risk but still should be tested.

Do you have any suggestions for approaching mobile malware with a similar methodology as your app rule? 

Malware/spyware is a little bit harder, but the principle is still the same as far as finding the app data. You need to make sure your mobile forensic tool will acquire the file system on the device. As long as it does that, you will be able to find the malware/spyware as that is where it is stored.

Is it true that if you do not have the pin for an iPhone 5 and above, it is impossible to analyze it?

That is correct; you do need to be able to have the lock to gain access. They changed chips on the device so you cannot get around it by doing a physical image. However, I still get devices of all ages in that I use the physical bypass on.

What is the investigation like with a locked device?

Depends on the device and what has locked it. With feature phones, a lot of times you can get around locked devices by doing a physical image first and then searching for “password”. It will show in the physical image. For smart device, it depends on the device. With a lot of them, it will be firmware dependent as well as hardware dependent as we can get around of a lot of locks software-wise but because they tie them to the chips, that has caused a greater barrier. It is much easier to work around Android protection than iOS. I also use 3rd party decryption tools such as Passware and Elcomsoft for password breaking.

What about password-protected iOS 8 devices and how to work with them – IP boxes?

I had another question about IP boxes. They're a risky option when it comes to password-protected devices and they also don’t work past 8.1. Right now you're stuck with only risky options that do risk the entire integrity of the device. You have to decide if the risk is worth it as those types of brute force attacks like IP boxes can destroy the device.

We use Good technology for our MDM, which is containerized. Would this data be available for investigations?

It depends on how they're storing the data. I have not reviewed that particular tool, but my guess is they're storing it in a database. If that database is encrypted, it should be fine, but you'll want to check that as the raw databases used in mobile devices can be parsed.

Can forensics be conducted remotely or do you have to have the actual device?

As it stands now with mobile forensics, you do have to have physical access to the device to be able to do an acquisition. I do not believe that will always be the case, but for now it is.

How did you get involved in digital forensics at the beginning of your career and what would you say the process is now for someone interested in breaking in to the market?

I found this a great field for the dyslexic, which I am. We do things backwards naturally and it really has helped in my problem-solving and investigative skills. I was involved early because I was willing to give something that was not popular a try. For those getting into the field I recommend that they specialize and really get strong skills in one area but still be able to do other types of examinations. A good example is mobile forensics. A lot of investigators who work in this area do not do hard-drive examinations.

You mentioned that there was a Supreme Court Ruling concerning seizure and shielding. Do we have a case that we can research?

Here's a link to an article. There are many other references as well. I am not a lawyer, so I don't want to offer an unqualified opinion.

What about airplane mode?

Airplane mode can be useful to be able to take the device off the network. It is not a method I use frequently, but it is a viable option. In most scenarios I don’t recommend it as it requires the first responder to place the device in airplane mode and I don’t advise that someone who has not been trained fully start rummaging through the device.

Comments? More questions? What works for you? We welcome your thoughts in the Comments section below.

No comments :

Post a Comment