Tag Archive for mobile phone forensics

Angela Merkel’s Phone Hacked by US…

Germany has summoned the US ambassador in Berlin around promises the US monitored German Chancellor Angela Merkel’s mobile phone.

Foreign Minister Guido Westerwelle will meet US envoy John Emerson after in what is viewed as an unusual measure between close friends.

However, it left open the question of whether calls were listened to formerly.

French President Francois Hollande had already called for the issue to be place within the strategy of the summit, where EU leaders are anticipated to discuss Europe’s digital economy, economic recovery and immigration.

‘Completely unacceptable’
The German government has not said how it received the hint about the alleged US spying. But news magazine Der Spiegel, which has printed reports predicated on content from former CIA contractor Edward Snowden, said the guidance had come from its investigations.
Continue reading the story
Press review

Germany’s Berliner Zeitung regrets that “just now does the government appear to really understand what it is happening”

Press aghast at latest US spying claims
State-observation of phone calls has a particular resonance in Germany – Mrs Merkel herself grew up in East Germany, where mobile-tap was pervasive.

Her spokesman said the German leader “views such practices… as completely unacceptable” and had needed a “complete and comprehensive explanation”.

White House spokesman Jay Carney said the US “is not tracking and cannot monitor the communications of the chancellor”.

German ministers’ phones have purportedly been protected using technology from security company Secusmart since 2009. Secusmart said in March that German government officials could be issued with new, highlysecured technology made for Blackberry mobile phones.

A German ADVICE technology expert told the BBC that security services for lots of countries may have intercepted the chancellor’s calls before she had complete encryption.

Numerous US friends have expressed fury on the Snowden-based spying allegations.

‘No business as usual’
Germany’s press echoed a sense of indignation, with a frontpage comments Sueddeutscher Zeitung – 1 of the country’s most respected newspapers – referring to the “biggest possible affront”.

German Defence Minister Thomas de Maiziere said it will not be possible to come back to business as usual. That is much more than a tiff that’ll blow over easily, the BBC’s Stephen Evans reports from Berlin.

President Obama had guaranteed Chancellor Merkel in June that German citizens were not being generally spied upon.

Data vs Information – A Quest For The Computer Forensics Examiner

The main action of the forensics detective within an information organization would be to look through information by searching, separating, removing information from data, and evidence collection is just planning the data form.

In this specific article, it’s significant the ideas of information and data are mixing securely. Evenly important is link between data and data, because without these ideas, the forensics detective will fight to finish also the easiest job.

Data versus Information
The crucial role in almost any forensics analysis is pertinent data; the shifting nature of whatever is relevant makes forensics an iterative procedure to investigations.

For instance, a first-pass of analysis may try to find email that signifies preparing, in a case. Another move, following the analysis progresses, may hunt for hidden pictures which are proof the homicide itself.

Info is better understood to be data that’s applicable for the case and data is basically any electronic evidence that’s not info. The truth is the fact that information and data are evenly critical as data; but the info is more crucial to improving the probe. Think about the typical pc. It definitely comprise an OS e.g. Windows, programs e.g. Ms Word and a few stored result from such programs. It’s critically important to accumulate evidence. Otherwise, a attorney might challenge quality of work.

Data as Documents
Data is rationally arranged into units, called documents, these documents are subsequently saved in groups, called directories or sites. These organizations are subsequently arranged into arrangement hierarchies I.e. listing trees, even though the plan of software applications which needs data rationally arranged.

For instance using computers in offense usually entails common applications including MS Office, storing data temporarily to enhance functionality, and storing copies to shield the data of its own client from reduction or by problem.

Group Files into Folders
Data is logically arranged in files. It’s much like how someone may sort and team printed paper records into a reasonable device. Like, am employee records may be kept by employer together by putting them in a document.

In many employers’ files, each worker may have files which are work description, degree, and wages. Therefore each kind of articles includes a title that conveys such; e.g. “wages” displays the content confirms. Data within the file arranged are later recovered by worker.

Thus, it’s ideal for your forensics detective to comprehend why borders to such hierarchical structures exist, they’re under:

Documents, files, and listing buildings for a number of physical apparatus that has limited capability. Therefore the apparatus capabilities itself becomes the border.

Execution of person bounds is beyond just what the physical apparatus demands for:

  • Data prioritization – some customers might have higher or lesser concern for the machine assets. A storage allowance like.
  • Data separation – a person may produce a border on spam that’s different from work-related e-mail files.
  • PC dependencies – some computers demanded trunk connected articles, situated inside the very first couple of Megabytes in the physical storage system.
  • Functionality – Physical storage products are identified to save and recover data with various shows founded on the data location inside the physical storage system.
  • Accessibility — when listing structure borders aren’t established correctly, programs or providers may neglect. In such instances, boundaries for the directory construction convert in to boundaries to accessibility or unavailability of a software or service.

Recovering Data From Damaged Mobile Phones

Damaged SmartphoneFor the past couple of years we’ve successfully extracted data from numerous mobile device, including mobile phones, smart phones, tablets, and so on. Among devices to be analyzed, we came across faulty cellular devices (damaged mechanically, by fire or on account of being kept in harsh or hostile environmental conditions) that electronic evidence must even be pulled. We’ve developed several strategies to analyzing damaged cellular devices which we’d like to tell our colleagues.

Before analyzing a damaged cellular device, a forensic investigator should ascertain just what is damaged within the unit. It isn’t essential whatsoever to desolder a memory chip simultaneously and execute further manipulations on it. Experience has shown there are generally simpler options for extracting data from damaged cellular devices.

The most typical flaw in cellular devices obtained for forensic evaluation is really a busted screen. In other words, a mobile system is functional but, due to a broken screen, doesn’t show any data. The assessment of said mobile devices presents no difficulties. To analyze cellular devices using a busted screen, we use UFED (Cellebrite Cellular Synchronization LTD) and.XRY (Micro Systemation). We produce a physical memory dump of the mobile device and extract data (a phonebook, calls, SMS messages, graphical files, movies, etc.) from it. At Times, when accessible products doesn’t assistance developing a physical memory dump of the mobile device, we perform a legitimate extraction of data. In this instance, lots of forensic applications for mobile system evaluation can be utilized. For instance, Oxygen Forensic Suite (Oxygen Software Company). Furthermore, You, you could usually replace a broken screen using a brand-new one. This creates the assessment more costly and timeconsuming, but it’s frequently the sole possible remedy (for example, when analyzing an Android apparatus with USB Debugging program alternative disabled).

Sometimes, to extract data, we use specific flasher tools (RIFF Box, Medusa Box, etc.) designed for fixing cellular products. Such flasher tools use JTAG interface for their work. Utilizing specific flasher tools, you can pull data from mobile devices that have broken system software or information protected with a PIN.

Processor swapping. The approach consists in extracting a memory chip from the damaged cellular device and installing it into the same great device. In the process, you solve several complicated difficulties which would need to be confronted should you choose to utilize a “Chip Off” method: there is no urgent need to understand the kind of a control employed by the unit to procedure memory chip data, the format of memory pages to the chip, the kind and characteristics of the file system employed by the unit, the format where data is saved (Oh, once you need to manually decode a physical memory dump, you’ll see that which we mean!), etc. The disadvantages of the approach contain the demand for a system (preferably two devices) that will be identical to the one obtained for assessment. Desoldering a processor is a quite complicated and laborious task. There’s a threat of destroying data because of heat or mechanical injury to the processor. You may even need gear for reballing. For instance, JOVY SYSTEMS JV-RKC – a package for reballing BGA chips.

When using this approach, it’s impossible to underestimate the possibility that, following the processor is swapped within the unit, all the data to the memory chip will probably be erased. This frequently occurs when a memory chip control is installed in the system board as a different processor. Usually, structurally it seems like a sandwich: to the one aspect of the system board there’s a memory chip, to another – a memory controller chip.

And So, if you got two identical devices that you are able to use as “donors”, attempt to swap their memory chips and examine the unit behavior before analyzing the unit.

Where memory chip swapping leads to data loss, you ought to put the memory chip as well as the memory chip control in the damaged device to the donor device.

When analyzing a broken device, you ought to focus on the building of its own system board. We analyzed a Motorola V3 cellphone which had spent two years within the earth. The phone appeared terrible. Numerous oxides had broken its casing and program board. It was out-of order. However, following the mobile was disassembled, it was discovered the program board contains several components. Part of the system board, using a memory chip on it, had endured environmental vulnerability minimal. To extract the data from this telephone, we purchased an identical one for an internet auction. We swapped part of the system board using a memory chip in the bought telephone for the component extracted from the broken telephone and read the data.

If not one of the previously described approaches has helped, you’ll need to utilize a Processor-Off method.

An investigator who would like to extract data from the mobile device memory chip must-follow four primary measures:

1. Chip extraction
Chip extraction is a fairly easy job: it is enough to warm the chip having a heat stream from the soldering station and separate the chip in the system board. With this measure, it is quite important to not overheat the processor (this can lead to data erasure) and damage it mechanically. Steadily climb the temperature of the new air.

2. Extracting data from the memory chip
Our co-workers occasionally ask us, “What flasher device ought to be utilized to extract data from the memory chip of the?” The inquiry is wrong. Mobile phone makers can alter a chipset of mobile devices even though generating just one batch. In other words, when we’ve got two mobile devices in the exact same batch, we can’t say with confidence they use similar memory chips. That’s the reason, not understanding what special processor is utilized within the mobile device to be analyzed, it’s impossible to answer the inquiry about the flasher tool, even though you’re conscious of the telephone design. Another bit of bad news is the fact that a mobile device may have many memory chips. You need to find all of these.

3. Flash translation layer (FTL) reconstruction
This measure isn’t difficult so long as you got a flasher device with the adapter for a crucial kind of BGA processor form-factor. However, to discover this kind of flasher device is a good difficulty. We’ve had lots of discussions with colleagues in what flasher device to purchase for a Processor-Off technique. A great flasher tool with a huge variety of adapters for different form factors of BGA chips can really cost a fortune. It’s unprofitable to invest as much on the system that you won’t frequently use. Consequently, we’ve achieved a consensus that, if needed, we’ll let such gear from enormous service centres that focus on electronics repair.

4. Dump decoding
Dump decoding is a complicated job. Fundamentals of dump decoding are educated at training classes (for instance, given by Cellebrite Mobile Synchronization LTD). Nevertheless, you shouldn’t believe that you simply’ll manage a physical dump of the telephone to be analyzed as readily as you execute an exercise dump. If XRY (Micro Systemation) or UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD) supports decoding a physical dump for your device you’re analyzing, then you can attempt to decode the extracted dump utilizing all these programs. It is simpler to use UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD), since it permits to customize motion sequence when processing a physical dump and also to create custom modules in Python for physical dump analysis.