SANS Digital Forensics and Incident Response Blog: Category - Mobile Device Forensics

Open Source Android Digital Forensics Application

For some time now, I've spent most of my R&D time on Android Forensics. Gartner predicts that Android will be the #2 smart phone platform by 2012, exceeding the iPhone and leaving only Nokia/Symbia in front. With an estimated 95 million devices on the market by that time, forensic examiners will inevitably begin to run across them (if you have not already).

The techniques we've developed will provide a full forensic image of supported Android devices. With the introduction of a new file system (YAFFS2) and a host of other new challenges, our community has considerable work to do to more deeply understand the device.

In an effort to give back to the community, we have released our logical Android Forensic application as open source. You can download it on Google Code and


Identity Theft Coming to a Mobile Device Near You

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer's account.

December 2009: Duplicate SIM card was issued to an imposter with the driver license of the victim

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information.

December 2009: USAA Thwarts Mobile App

...


Examining Windows Mobile Devices Using File System Forensic Tools

Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.

Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.

$ fsstat SamsungBlackjack.bin

FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16
OEM Name:

... Continue reading Examining Windows Mobile Devices Using File System Forensic Tools


SANS Mobile Device Forensics

sec563_8_785x90

The debut of SANS SEC563 Mobile Device Forensics course in Baltimore this month was very well-received. Attendees included information security professionals from private sector organizations, as well as forensic practitioners and government and law enforcement. Reactions from attendees demonstrate the value and practical usefulness of this course.

- CFE Graham Boyanich, #9996

...


Acquiring Data from Windows Mobile Devices

During the debut of SEC563 Mobile Device Forensics last week, Eugene Libster from ManTech brought to my attention the open sourceitsutils package for extracting from Windows Mobile devices. Components of this package, psdread and pdocread, can acquire more data from Windows Mobile devices than many commercial forensic tools, but there are several issues that forensic practitioners need to understand before using these utilities on an evidentiary device.

First, acquiring data using these utilities creates files on the device, necessarily overwriting data. Specifically, an executable file named "itsutils.dll" is copied onto the device, and an error log"itsutils.log"is created on the device. Second, these tools acquire data through a hardware

...