SANS Digital Forensics and Incident Response Blog: Category - Mobile Device Forensics

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I've included Twitter handles in the form (@TwitterHandle) where applicable.

Tools:

  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the

Nokia n900 mobile forensic cheat sheet

Nokia N900
Shadowed by coverage of all things Nexus and iPad, Nokia's new n900 is the unsung hero of the smart phone world. That's just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!

Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find

...


Open Source Android Digital Forensics Application

For some time now, I've spent most of my R&D time on Android Forensics. Gartner predicts that Android will be the #2 smart phone platform by 2012, exceeding the iPhone and leaving only Nokia/Symbia in front. With an estimated 95 million devices on the market by that time, forensic examiners will inevitably begin to run across them (if you have not already).

The techniques we've developed will provide a full forensic image of supported Android devices. With the introduction of a new file system (YAFFS2) and a host of other new challenges, our community has considerable work to do to more deeply understand the device.

In an effort to give back to the community, we have released our logical Android Forensic application as open source. You can download it on Google Code and


Identity Theft Coming to a Mobile Device Near You

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer's account.

December 2009: Duplicate SIM card was issued to an imposter with the driver license of the victim

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information.

December 2009: USAA Thwarts Mobile App

...


Examining Windows Mobile Devices Using File System Forensic Tools

Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.

Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.

$ fsstat SamsungBlackjack.bin

FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16
OEM Name:

... Continue reading Examining Windows Mobile Devices Using File System Forensic Tools