SANS Digital Forensics and Incident Response Blog: Category - Mobile Device Forensics

Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I've included Twitter handles in the form (@TwitterHandle) where applicable.

Tools:

  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the

Nokia n900 mobile forensic cheat sheet

Nokia N900
Shadowed by coverage of all things Nexus and iPad, Nokia's new n900 is the unsung hero of the smart phone world. That's just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!

Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find

...


Open Source Android Digital Forensics Application

For some time now, I've spent most of my R&D time on Android Forensics. Gartner predicts that Android will be the #2 smart phone platform by 2012, exceeding the iPhone and leaving only Nokia/Symbia in front. With an estimated 95 million devices on the market by that time, forensic examiners will inevitably begin to run across them (if you have not already).

The techniques we've developed will provide a full forensic image of supported Android devices. With the introduction of a new file system (YAFFS2) and a host of other new challenges, our community has considerable work to do to more deeply understand the device.

In an effort to give back to the community, we have released our logical Android Forensic application as open source. You can download it on Google Code and


Identity Theft Coming to a Mobile Device Near You

The increasing use of mobile devices for banking, money transfer, and payment is increasing the risk that criminals will target these devices for financial gain.

More banks are providing customers with the ability to access their accounts using mobile devices. In a number of cases, criminals have gained access to bank accounts by tricking cell phone providers into issuing SIM cards associated with the customer's account.

December 2009: Duplicate SIM card was issued to an imposter with the driver license of the victim

In addition, fraudulent mobile banking applications have emerged for Android devices that attempt to steal personal financial information.

December 2009: USAA Thwarts Mobile App

...