Mobile And Digital Forensics

Satvik Gupta

Risks Created By Wireless Technology

  1. Wireless is shared and uncontrolled.
  2. Mobile devices are transient. They are always moving around. Detecting suspicious activity becomes difficult.
  3. Ease of use - As wireless is easy to use, people become familiar with it and become comfortable and careless with security.
  4. It’s easier to attack.

Wireless Technologies in Use

PAN (Personal Area Network)

Bluetooth

Infrared

Ultrawideband (UWB)

ZigBee

Wireless USB

LAN

Wireless Local Area Networks

802.11

900 MHz Packet Radio

MAN

A Metropolitan Area Network is designed to provide broadband connectivity to a densely populated area. Could be cities, counties, campuses. AKA Last Mile Solutions.

Microwave

Free Space Optics

Ricochet

WiMax

Worldwide Interoperability for Microwave Access, 802.16

WANs

WANs are intended for communications between mobile and fixed devices worldwide.

Satellite

Use radio waves just like other wireless technologies. TElevision, GPS< ISPs, etc.

Cellular

Blackberry

Email, File sharing, Voice and SMS, Calendar, Internet, Attachments, etc. btw Blackberry users.

Paging

SMS


Wireless Network Security Threats

Eavesdropping

Someone else can read the transmitted information, even from outside the building.

Traffic Analysis

Patterns of communication and data flow can be monitored and may yield information.

Data Tampering

Information can be deleted, or modified via MITM attack.

Masquerading

Attacker can impersonate an authorized user and gain access to information.

Denial of Service (DoS)

Attacker can jam frequency channels, using hardware blockers or by sending large amount of requests.

Wireless Client Attacks

Attacker can trick clients into connecting to an unsecured network and gain access to the data present on the client machine. The compromised client can now also be used to access the internal network and the data stored on it.

Other Issues with Wireless

Spread Spectrum isn’t Secure

Spread Spectrum is a modulation technique used to prevent radio jamming.

In general, spread spectrum has spreading codes, that can be changed. Without knowing the correct code, it is impossible to decipher data sent through the spread spectrum.

However, the 802.11 standard publicly describes the spreading codes so that interoperable 802.11 components can be created. An attacker with a radio compliant with 802.11 would be able to connect.

SSIDs are not designed as passwords

SSID - Service Set Identifier.

WEP is weak

Wired Equivalent Privacy.

WEP occasionally produces cryptographically weak ciphers.

Steps to attack WEP.

  1. Hacker runs Kismet to discover WLANs in the area. He gets its SSID, channel number and its BSSID (Basic SSID - the Ethernet Address).

  2. APs can hide their SSIDs, using an option called SSID Cloaking/SSID Broadcast Disable.

    If this is the case, the attacker has to wait for a client to connect to the AP (the client and the AP will both disclose the SSID). The attacker can also force an already connected client to reconnect. This is done by sending a packet to the client, pretending to be from the AP. The packet tells the client that they have lost their connection with the AP (You are no longer connected). The client attempts to reconnect, and exposes the SSID.

  3. The attacker puts his wireless card into Monitor mode. The card will eavesdrop on the WLAN (even without connecting to it.) He makes the card monitor the channel on which the target AP is. All the traffic monitored is saved in a capture file.

  4. WEP uses Initialization Vectors (IVs), which are values used to start a cryptographic process. When a certain number of weak IVs have been captured, we can determine the WEP key. 125k packets are needed to crack 40-bit WEP keys. 200-250k packets for 128-bit WEP keys.

  5. If the WLAN is slow, the hacker will need to accelerate the attack to capture the right amount of weak IVs. The attacker will inject already captured WEP frame back into the network. WEP has no replay protection mechanism.

    512 packets injected per second - 10 mins for 40-bit keys, 30 mins for 128-bit keys.

  6. After sufficient amount of IVs are captured, the attacker runs AirCrack, which will attempt to crack and return the WEP key. Once the key is known, the attacker can connect to the AP in the same way a legitimate client would.

War Driving

People driving around in a car equipped with wireless gear, looking for unsecured wireless network. Generally they try to look for APs that are running a certain kind of server behind them, such as important security servers or financial servers, etc.

Sometimes people just do it harmlessly, for e.g, just checking the radio environment.

War Chalking

War driving + marking the places with chalk. Different symbols are used for open, closed, and WEP APs.

War Flying

War driving, but using airplanes,helicopters, etc. instead of cars. Due to increased range of wireless networks, hundreds of APs can be found in a short trip.

Security Recommendations vs Reality

Recommendation Reality
Turn SSID Broadcasting off SSIDs can be easily discovered as described above.
Use static IP Addresses Static IP addresses can be found easily using traffic analysis
Turn 128-bit WEP on WEP can be easily cracked
Change WEP keys New keys can be cracked easily
Enable MAC Address Filtering Traffic analysis will yield the authorized MAC Addresses. WLAN cards can specify their own MAC Address, so hackers can just claim to be using an authorized one
Utilize shared key auth WEP keys can be cracked
Use personal firewalls Hackers may be able to fool you that they are a trusted system
Use SSH/HTTPs May be vulnerable to MITM sometimes


PDA (Personal Digital Assistants)

Common attacks:

  1. Copying/Stealing information from the device
  2. Loading malicious code onto the device
  3. Destroying key files or applications on the device
Trojans

A program disguised as another program.

Worms

Programs that duplicate themselves over and over, and steal system resources in doing so.

Logic Bombs

Programs within programs that perform certain actions based on a trigger event. PDAs can also be carriers of such programs instead of the target.

Theft of the Device

Data Theft

Data can be easily copied from a PDA/Blackberry to a flash card within minutes.

Mobile Code

S/w transmitted from server to a local device, and then executed. This code may give the attacker access to the data on the PDA.

Auth Theft

Stealing a PDA may lead to auth information being stolen.

DoS Attacks

Any attack in which an organization is denied access to a resource can be termed DoS. For PDAs, anything from mobile code to device theft can be considered DoS.

Session Hijacking

A TCP session can be taken over by an attacker. TCP auth only occurs during the start, so an attacker can find ways to do this.

Providing Security to PDAs

Best Security Practices

  1. Define handheld security policy
  2. Centrally enforce and monitor handheld security
  3. Enforce use of power-on passwords
  4. Block unauthorized handheld network activity
  5. Detect handheld intrusions
  6. Protect handheld integrity
  7. Encrypt sensitive data stored on handhelds
  8. Protect traffic sent/received by handhelds
  9. Maintain up-to-date anti-virus protection
  10. Back up frequently

SMS Security Issues

SMS is a store and forward service. The SMS is stored in a server first, before being forwarded to the receiver. This is necessary in case the receiver’s mobile phone is out of coverage or switched off when the SMS is sent.

Availability Issues

Confidentiality Issues

Integrity Issues

Integrity issues are those relating to an SMS’s content being changed, or the sender is pretending to be someone else.

Other Security Issues

SMS Spamming

A promising scheme is shown below.

image-20230509195001350
  1. Originator’s phone number and the SMSC used are compared. If the originator sent a message earlier using a different SMSC, the message is marked as suspicious.
  2. SMSC and originator country is checked and compared.
  3. SenderId is checked. Non-numerical IDs have a greater chance of being spam.
  4. Timezone is checked. If the sender and receiver country are same, but the timestamp from SMSC is more than 1 minute ahead, the message is suspicoius.
  5. Keyword blacklist.
  6. HTTP links are checked.
  7. SMS Protocol is checked (TP-PID). Some SMSes, such as silent SMSes, which get deleted upon reception. The application notifies the user of such SMSes, even though it has been deleted.

Mobile Phone Forensics

Crime in Mobile Phones

Sources of Evidence

We can find evidence on a mobile device in the following places

Data can remain in places even after it has been deleted.

Forensic Procedures

When dealing with digital evidence,

General Principles

Training and Competence

Analysis Procedure

Preserving data and isolating from network

Identify the phone

Examine SIM Card and Memory

SIM Card

Files Present in SIM Card

SIM contains many files such as:

Around 100 files are present, but each provider can also add their own files. Users generally can’t access or delete these files, which makes them important.

IMSI

International Mobile Subscriber Identity (15-digit number) is used to uniquely identify the SIM internationally.

It consists of MCC + MNC + MSIN.

MCC - Mobile Country Code (3-digit). MNC - Mobile Network Code (2-digit , 3-digit for USA and Canada). MSIN is 10 digit (9 in USA/Canada)

ICCID

Integrated Circuit Card Identifier. It is a unique serial number that is printed on the plastic wrapping of the card. It identifies the actual printed circuit.

It consists of :

89 + MCC + MNC + Serial Number

89 is fixed and represents that this circuit (the SIM) is used for telecommunication.

Location Information File and BCCH File

SMS Storage File

Modern SIMs can store SMS, usually upto 35. The first byte of each SMS storage slot tells the message’s status.

00000000 - Empty Slot

00000001 - Read incoming message

00000011 - Unread incoming message

00000101 - Outgoing message that has been sent

00000111 - Outgoing message which hasn’t been sent.

If a message is deleted by the user, usually the first byte’s last bit is changed to 0, which marks the slot as empty. But the actual content of the slots aren’t changed. So, by reading data directly, we can sometimes get old messages that the user thinks have been deleted.

Another file stores SMS Settings, such as the default alphabet, message center number, etc.

Contact List

SIM Cards can store contacts. Old SIMs stored upto 100, newer ones offer 250. When a contact is deleted, the slot is filled with binary “1”, so deleted contacts cannot be recovered. But slots are assigned in order, so if we find an empty slot between slot 34 and 36, we can assume there was a contact in slot 35 that has been deleted.

Outgoing Calls

SIMs can store the last 10 dialled numbers. Most manufacturers prefer to use the phone’s memory of this. SIM doesn’t store incoming calls, only outgoing.

Device Data

Issues :

External memory dumps, that use hardware, can be used. In this, the memory circuits are desoldered from the phone. This ensures no changes occur while doing memory dump. This is less used because we may damage the whole memory while performing desoldering.

External memory cards may be present in the device. Extracting data from these is fairly easy.

Evidence in Operator’s Network

The SIM card operator may also have evidence in their database.