CHFI module 13: Mobile forensics
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (8.13 MB, 112 trang )
Mobile Forensics
Module 13
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Mobile Forensics
Module 13
Designed by Cyber Crime Investigators. Presented by Professionals.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator v9
Module 13: Mobile Forensics
Exam 312-49
Module 13 Page 1263
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Module Objectives
After successfully completing this module, you will be able to:
1
Discuss about mobile device forensics and understand why it is needed
2
Understand the role of mobile hardware and OS while conducting forensics on mobiles
3
Illustrate the architectural layers of mobile device environment
4
Illustrate Android architecture stack and demonstrate Android boot process
5
Illustrate iOS architecture stack and demonstrate iOS boot process
6
Determine the mobile storage and evidence locations
7
Understand what you should do before performing investigation
8
Perform mobile forensics
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Mobile forensics is the science of recovering digital evidence from mobile devices under
forensically sound conditions. With the increase in the usage of mobile devices every day, there
is growing importance of mobile forensics. This module highlights the precautions that a
forensic analyst must take when collection, preserving, and acquiring mobile devices such as
smartphones, PDAs, digital cameras, Internet of Things, etc. This module will familiarize you
with the topics mentioned in the slide:
Module 13 Page 1264
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Mobile Device Forensics
Mobile phone forensics is the science of recovering digital
evidence from a mobile phone under forensically sound
conditions
It includes recovery and analysis of data from mobile devices’
internal memory, SD cards and SIM cards
Mobile forensics aims to trace the perpetrators of crimes that
involve the use of mobile phones
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Mobile phone forensics is the science of recovering digital evidence from a mobile phone under
forensically sound conditions. It involves the examination and reporting of all possible sources
of digital evidence in a forensically sound manner. The investigator reports and presents the
evidence in the court of law to prove the incident.
Mobile phone forensics includes extraction, recovery, and analysis of data from the internal
memory, SD cards, and SIM cards of mobile devices. Forensics experts analyze the phone by
examining the incoming and outgoing text messages, pictures stored in the memory of the
phone, call logs, email messages, SIM data, deleted data, etc., in an attempt to trace the
perpetrators of crimes that involve the use of mobile phones.
Module 13 Page 1265
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Why Mobile Forensics?
Using Mobiles for Money Transactions
The Projected Growth of Mobile Use
Mobile payment user
2020
2015
2016
384 Million
425 Million
transactions
$450 Billion
transactions
$620 Billion
http://www.
statista.com
Number of malwares
targeting mobile devices
tripled in 2015 in
comparison with 2014
50%
of transactions
will be made via
mobile
Internet connections made via mobile devices
2015
52.7%
Among all the malwares,
ransomware malwares
capable of obtaining
unlimited rights on an
infected device, and data
stealers proved to be the
most dangerous threat
in 2015
2016
56.1%
2019
63.4%
Approximately 94,344
unique users were
attacked by mobile
ransomware in 2015 in
comparison with 18,478
users in 2014
2016 is likely to see an
increase in the
complexity of malwares
and its modifications,
with more geographies
targeted
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
With the increase in smart phone usage and mobile payments in recent years, the number of
malware and ransomware has also increased, resulting in an increase in importance of mobile
forensics.
According to statistica, users making payments through mobile devices have increased
from 385 million in 2015 to 425 million in 2016; and transactions worth $620 billion
have occurred in contrast to $450 billion in 2015.
According to three.co.uk, 50% of the transactions will be made through mobiles by the
year 2020.
With the increase in mobile device usage, the number of internet connections made via
mobiles has increased from 52.7% in 2015 to 56.1% in 2016. It is estimated to increase
to 63.4% by the year 2019.
The number of malwares targeting mobile devices tripled in 2015 in comparison to that
in 2014.
Approximately 94,344 unique users were attacked by mobile ransomware in 2015, in
comparison to 18, 478 users in 2014.
Among all the malwares, ransomwares - malwares capable of obtaining unlimited rights
on an infected device and data stealers proved to be the most dangerous threats in
2015
Module 13 Page 1266
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
It is likely that 2016 will see an increase in the complexity of the malware and its
modifications, with more geographies being targeted.
Sources: , ,
Module 13 Page 1267
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Top Threats Targeting Mobile
Devices
Web- & Network-based Attacks
Launched by malicious websites or
compromised legitimate sites
Attacking site exploits device’s browser
Attempts to install malware or steal confidential
data that flows through the browser
Malware
Includes traditional computer viruses, computer
worms and Trojan horse programs
Example: IKee worm targeted iOS-based devices
Example: Pjapps enroll infected Android devices on
the botnet
Social Engineering Attacks
Leverage social engineering to trick users
Attempts to get users to disclose sensitive information
or install malware
Examples include phishing and targeted attacks
Resource Abuse
Attempt to misuse network, device or identity
resources
Example: Sending spam from compromised
devices
Example: Denial of Service attacks using
computer resources of compromised devices
Data Loss
Employee or hacker exfiltrates sensitive
information from device or network
Can be unintentional or malicious
Remains biggest threat to mobile
devices
Data Integrity Threats
Attempts to corrupt or modify data
The purpose is to disrupt operations of
an enterprise or geared toward financial
gain
Can also occur unintentionally
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The following list describes the different types of threats targeting mobile devices:
Web-based and network-based attacks: These attacks are commonly executed through
malicious websites or compromised legitimate websites, which actually execute malicious
code/program on a device’s browser and exploit it. Web-based and network-based attacks
attempt to install malware or steal confidential data flowing through the browser.
Malware is of the following types:
Traditional computer virus: Comes into force after attaching to a legitimate host
program.
Computer worms: Spreads from one device to another and tries to appear across the
entire mobile network.
Trojan horse programs: Performs malicious actions upon satisfying certain conditions.
Social Engineering Attacks: The attacker entices the victim to share his/her sensitive
information such as personal details, professional details, and credit card and banking details.
Some of the social engineering attacks are as follows:
Phishing
Baiting
Pretexting
Module 13 Page 1268
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Quid Pro Quo
Tailgating
Exam 312-49
Resource Abuse: Attackers aim at misusing mobile device resources (such as network,
computing, or identity-related information stored on the mobile) for malicious purposes. The
two most common abuses include sending phishing mails and executing denial of service
attacks from a set of compromised machines/botnets, using a command and control center.
Data Loss: Data loss occurs when unauthorized transfer of data occurs on a mobile device. Such
transfer may be induced unintentionally by a legitimate mobile user or illegally by an attacker
who has remote access to the device. Data loss is the biggest threat to mobile devices.
Data Integrity Threats: These threats attempt to modify or corrupt the data stored in mobile
devices. These attacks are aimed at disturbing normal enterprise functionality or for financial
gain. Data integrity threats may also occur unintentionally by natural forces such as random
data corruption.
Source:
Module 13 Page 1269
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Mobile Hardware and Forensics
Mobile device forensics is highly dependent on the underlying hardware of
mobile devices
Investigators need to take different approaches for mobile forensics depending upon
the mobile hardware architecture
Proprietary hardware of mobile devices makes forensics acquisition difficult
Knowledge of mobile hardware also becomes essential in case of a broken or
damaged device when it is not possible to access device using data ports
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The common mobile hardware components include various elements such as application
processor, baseband processor, digital signal processor, ADC, DAC, RAM, ROM, and RF. The
architecture and configuration of these hardware components may differ from device to
device. For example, an iPhone may have different hardware architecture than an Android
mobile phone. In such cases, challenges for mobile forensics investigators increase, as there is
no standard hardware architecture for mobile phones. Investigators need to apply different
tools and techniques to conduct forensics investigation of such a variety of mobile phones.
Thus, a mobile forensics investigator should have sound knowledge of mobile hardware
architectures on different mobile phones. The investigator must identify and know the location
of specific components of mobile phone hardware. For example, he/she should know where
the memory chip resides inside mobile phones, if he/she wants to conduct chip-off forensics.
Module 13 Page 1270
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Mobile OS and Forensics
A mobile operating system determines the functions and features
available on mobile devices, and manages the communication
between the mobile device and other compatible devices
This diversity in the mobile OS architecture may impact forensic
analysis process
Investigators require knowledge of underlying OS, architecture,
and file systems of mobile device under investigation
Knowledge of mobile OS booting process helps investigator to
gain lower level access
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
A mobile operating system (OS) is software that enables mobile phones, tablet PCs, and other
mobile devices to run applications and programs. A mobile OS determines the functions and
features available on mobile devices and manages the communication between the mobile
device and other compatible devices.
There are several mobile OSs available in the market such as Google’s Android, RIM’s
BlackBerry OS, Microsoft’s Windows Mobile, etc. This proliferation of mobile OSs and models
creates various challenges for mobile forensic experts. Investigators require knowledge of
underlying OS, architecture, and file systems of mobiles under investigation. Knowledge of the
mobile OS booting process helps investigators gain lower level access.
Module 13 Page 1271
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Architectural Layers of Mobile
Device Environment
Client Application
Communication APIs
(E-mail, internet, SMS, etc.)
GUI
API
Phone
API
Middleware Components
(Service-discovery, network database components, etc.)
Operating System
Device hardware consisting of display device, keypad, RAM, flash, embedded processor, and media processor
Radio interface, gateway, and network interface
Network
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Mobile Architectural Layer is a platform that enables mobile operating systems, apps, and
mobile device hardware to work in coordination for successful operations on devices, such as
PDAs, cellular phones, and smartphones.
Client application: Client application represents any android application that runs on the
Android platform. The client application needs resources to function effectively. These include
communication APIs, GUI API, phone API, and middleware components.
Communication APIs, GUI API, phone API, and middleware components:
The Communication API simplifies the process of interacting with web services and other
applications such as email, internet, and SMS.
The GUI API is responsible for creating menus and sub-menus in designing applications. It acts
as an interface where the developer has a chance of building other plugins.
Phone API provides telephony services related to the mobile carrier operator such as making
calls, receiving calls, and SMS. All phone APIs appear at the application layer.
In general, the OS provides middleware components used to link application components with
network-distributed components.
Operating system: The mobile OS offers utilities for scheduling multiple tasks, memory
management tasks, synchronization, and priority allocation. It also provides interfaces for
communication between application layers, middleware layers, and hardware.
Module 13 Page 1272
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Hardware: A mobile device contains hardware such as a display device, keypad, RAM, flash,
embedded processor, and media processor, which are responsible for mobile operation.
Radio interface, gateway, and network interface: A mobile device communicates with the
network operator with some interfaces, such as radio interface, gateway, and network
interface, to establish safe and secure communication.
Network: To communicate with the network, the data must pass through various layers to
reach the destination. The data travels over network layers to reach its destination.
Module 13 Page 1273
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Android Architecture Stack
APPLICATION
Home
Contacts
Phone
Browser
…..
User-defined, standard
applications
APPLICATION FRAMEWORK
Activity Manager
Window Manager
Content Providers
View System
Telephony
Manager
Resource
Manager
Location Manager
Notification
Manager
Package Manager
LIBRARIES
Surface Manager
Media Framework
SQLite
OpenGL | ES
FreeType
WebKit
SGL
SSL
libc
ANDROID RUNTIME
Core Libraries
Dalvik Virtual Machine
LINUX KERNEL
Display Driver
Camera Driver
Flash Memory Driver
Binder (IPC) Driver
Keypad Driver
WiFi Driver
Audio Driver
Power Management
Supports application
API interfaces
Native libraries written in
C/C++, responsible for
handling different types
of data
Custom-built virtual
machine
Built on top of the Linux
2.6 Kernel, responsible
for interacting with the
hardware
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Android architecture consists of various software components arranged in stacks.
Linux Kernel:
The Android OS was specially built on Linux kernel layer with some additional modifications to
its architecture. However, it is not possible for a user to run any of the Linux packages on the
Android OS since it is different from original Linux. Simply put, Android uses Linux as its core.
Therefore, both Android and Linux packages do not run at each other. Android is simply a Linux
kernel that communicates with the hardware and comprises all the necessary hardware drivers.
Linux kernel operates as an intelligence layer between the hardware and software layers.
Libraries:
The next layer in android architecture is android native library that permits the device to
manage various types of data. The application developer generally writes libraries for all the
available hardware separately in C or C++ language. Some of the important native libraries
include the following:
Surface Manager: It takes care of displaying windows owned by different applications
running on different processes
Media framework: Media framework offers various media codecs that allow the
recording and playback of all the media formats
SQLite: SQLite is the database engine that stores data in Android devices.
Module 13 Page 1274
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
OpenGL/ES and SGL: This is used to render 2D (SGL) or 3D (OpenGL/ES) graphics
content to the screen
FreeType: It renders the bitmap and vector fonts.
WebKit: It is the browser engine used to display web pages
Libc: It is a C system library tuned for embedded Linux-based devices.
Android Runtime:
Android Runtime is an application runtime setting used by the Android OS that transforms
machine bytecode into normal instructions. It is the successor of Dalvik.
Dalvik Virtual Machine:
Dalvik Virtual Machine (DVM) is a type of the Java virtual machine responsible for power
management and memory management. The Dalvik virtual machine runs only .dex files built
from .class files during compilation to achieve better efficiency using few resources. It creates
partitions in the virtual machine to provide security, isolation, memory management, and
threading support simultaneously.
Core Java Libraries:
Core Java libraries differ from Java software edition and Java micro edition, but provides almost
all the functionalities stated in Java software edition libraries.
Application Framework:
Android applications, in general, interact with these application framework blocks itself to
manage basic mobile functions such as resource management and voice call management.
Android developers make use of these tools as the base while developing applications.
Important blocks of the application framework are as follows:
Package Manager: It tracks the apks installed in the mobile device.
Activity Manager: It controls the life cycle of applications running in the device.
Content Providers: Content providers allow applications to share data between each of
them.
Telephony Manager: This block of Application Framework controls/manages all the calls
made from the device.
Location Manager: It manages the location of an Android device using GPS or cell tower.
Resource Manager: It manages the various types of resources used in applications, such
as such as strings, color settings, and user interface layouts.
Notifications Manager: This block allows mobile device applications to display alerts
and notifications on the screen.
Module 13 Page 1275
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Applications
The Applications portion is the last stage of android architecture that displays applications on
the user screen. All the applications designed and developed fit into this portion. By default,
this portion loads with some basic applications such as:
Home
Contacts
Call Register
Browser
The developer, in general, designs the applications that replace default apps with some better
features. The Android OS offers vast opportunities for developers in developing applications
without any restrictions.
Module 13 Page 1276
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Android Boot Process
Boot ROM
1. The Android Linux kernel
component first calls the
init process
Boot Loader
Kernel
2. The init process accesses
the various processes and
demons including init.rc
mostly known as zygote,
zygote is started
3. The zygote process loads
the core Java classes, and
performs the initial
processing steps
4. After the initial load
process, zygote idles on a
socket and waits for
further requests
Exec()
Fork()
Dalvik Specialization
init
Daemons
Service Manager
Media Server
adbd
void (mount)
rild (radio)
debuggerd
installed
Zygote
Fork ()
Native Server
Dalvik VM
System Server
Registration
System Services
Runtime
Dalvik VM
Services
Servers
Applications
Home
GUI
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Step 1:
When we power on the android device, the Boot ROM code is activated. This loads the Boot
Loader into the device RAM and starts execution.
Step 2:
Boot Loader is a program that initializes before the Android OS is loaded. The boot loader will
set up all the essential things such as network and memory that are required to start the kernel.
Location of the Boot Loader is as follows:
<AndroidSource>\bootable\bootloader\legacy\usbloader
The original equipment manufacturers (OEMs) customize the Boot Loader to put their locks and
restrictions on the device.
Step 3:
The Android kernel initializes in the same way as the Linux kernel, and it sets up everything
required for the system to run. As the kernel starts, it initializes the interrupt controllers, setup
memory protections, caches, and scheduling. Once done, the system can now use virtual
memory and launch the user space processes. The kernel then looks for the init process (under
system/core/init) and launches it as the initial user space process.
Module 13 Page 1277
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Step 4:
Init is the first user process that starts on the device. It is the parent of all the processes and
resides at the following address:
<android source>/system/core/init
init initializes the Zygote, runtime, and daemon processes, and at this instance, the Android
logo appears on the mobile screen.
Init process is responsible to:
1. Mount directories like /sys , /dev or /proc
2. Run
init.rc
script
located
source>/system/core/rootdir/init.rc
at
The init.rc script describes the system services, file system, and other parameters that need to
be set up.
Step 5:
In Java, whenever a new app launches, a separate VM instance will occur in the memory.
Therefore, if multiple applications launch at the same time, multiple Dalvik VM instances occur,
resulting in extensive memory and time consumption.
To avoid this, Android implements a system termed “Zygote,” which enables code sharing
across the Dalvik virtual machine, resulting in low memory consumption and quick startup time.
Zygote is a VM process that launches at the system boot. It preloads and initializes the core
library classes. Whenever a new app launches, Zygote forks a new virtual machine and runs the
app in its sandboxed environment. It provides a pre-warmed up virtual machine instance for
each apk to run, thereby reducing the startup time.
In simple terms, the init process initializes the Zygote, which in turn initializes the Dalvik virtual
machine.
Step 6:
On completion of step 5, runtime requests Zygote to launch the system server, which initializes
services such as Power Manager, Battery Service, and Bluetooth Service. The system server is
the first Java-based component to launch on the device, during the bootup sequence.
The Android boot process completes only after all the services are up and running in the device
memory, and then, the system triggers an “ACTION_BOOT_COMPLETED” standard broadcast.
Module 13 Page 1278
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
iOS Architecture
iPhone OS stack consists of four abstraction layers
Provides frameworks for iPhone
app development
Provide audio, video, animation, and
graphics capabilities to the iPhone
Provides foundation to upper
layers
Provides low-level services
Map Kit, iAD, Game Kit, Events (Touch), View Controllers,
and UIKit
Cocoa Touch
Core Audio, Core Animation, AirPlay, Quartz (2D), Video
Playback, Audi Recording, Audio Mixing, OpenAL, JPEG,
PNG, TIFF, and PDF
Media Services
Threading, File Access, Preferences, Collections (NSArray,
NSDictionary, NSSet), Networking, Address Book, and High
Level Features (iCloud, In-App Purchase, and SQLite)
Core Services
Security Firmware, Accelerate FW, External Accessary FW, System
(Threading, Networking, Filesystem Access, Standard I/O, Bonjour
& DNS Services, Locale Information, and Memory Allocation)
Core OS
iPhone Hardware
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
One of the salient features of iOS Architecture is that the OS never allows app developers direct
access to any of the iPhone hardware. Hardware interactions with the apps function
intermittently between applications and device hardware that includes different software
layers, providing a framework for application development. The iPhone operating system has
four abstraction layers in its design, namely, Core Operating system layer, Core Services layer,
Media Services layer, and the Cocoa Touch layer. The OS occupies 500 MB data of iPhone
storage and uses Objective C language for coding.
Cocoa Touch Layer:
The Cocoa Touch layer is the first and the topmost layer in iOS architecture and contains some
of the important frameworks related to the applications. The most important framework
among the available frameworks is UIKit. It defines simple application basics and offers
advanced technologies such as multitasking and touch-based input.
Media Services Layer:
The Media Services layer mainly takes care of media files such as audio and video. It also
handles important technologies such as OpenGL ES and OpenAL, Core Graphics, Core Media,
and AV Foundation. It also contains the following frameworks:
Assets Library Framework - To access photos and videos
Core Image Framework – Image manipulation
Core Graphics Framework – 2D drawing
Module 13 Page 1279
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Core Services Layer:
The Core Services Layer is mainly responsible for managing basic system services that an iOS
application uses. The Cocoa Touch Layer mainly depends on this layer to offer better services
while using applications. It offers services such as iCloud Storage, Grand Central Dispatch, Block
Objects, and In-App Purchase. The Automatic Reference Counting feature is the latest in the
Core Services Layer and its main purpose is to simplify the memory management in Objective C.
Core OS Layer:
Core OS layer is the most important of all the layers since it provides the maximum features for
the applications. It provides most of the frameworks needed for the applications for their
accurate functionality. Applications access most of the low-level features using “C”-based
libSystem libraries such as BSD sockets, POSIX threads, and DNS services.
Module 13 Page 1280
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
iOS Boot Process
The iPhone boot process consists of multiple boot stages. Each stage
verifies the integrity and authenticity of the next stage
The normal booting process uses a built-in chain-of-trust mechanism that
prevents lower level access to iOS implementation layers
Device Firmware Upgrade (DFU) mode is used during a forensics
investigation to gain lower level access to the device
Using this mode, the investigator can alter the boot sequence
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The iPhone’s normal boot process involves a series of RSA (RSA stands for Ron Rivest, Adi
Shamir, and Leonard Adleman) signature checks such as BootROM, LLB, iBoot, and
Kernel/NAND Flash root device.
In the normal boot process, BootRom is the first stage in the iPhone, which has all the root
certificates that check for the next stage. The BootRom initializes some of the components and
then checks the signature of the lower level boot loader (LLB). Upon successful verification, the
BootRom loads the LLB. In the same way, the LLB checks the signature of iBoot (stage-2 boot
loader) and loads it upon successful verification. The same procedure applies to the next stages
in the sequence, where iBoot checks the kernel and device tree signatures, while the kernel
checks the signatures of all the user applications.
Unlike the normal booting process, forensic investigators use Device Firmware Upgrade (DFU)
mode to gain lower level of access of the device. Using this mode, investigator can alter the
boot sequence and perform forensic examination on the device.
Module 13 Page 1281
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Normal and DFU Mode Booting
Normal Boot Process:
BootRom starts the booting process
LLB, the first level boot loader, is loaded after verification of integrity and authenticity
The stage 2 bootloader iBoot starts after verification of integrity and authenticity
Kernel and NAND flash is also loaded after verification of integrity and authenticity
Boot ROM
LLB
iBoot
Kernel + NAND
Flash + NAND
Flash
iBEC
Kernel +
RamDisk
DFU Mode:
iBoot is not booted during the DFU mode boot sequence
Boot ROM
iBSS
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
iPhone operates in two modes, namely normal mode and DFU mode.
During normal booting, the device loads the Ramdisk into the RAM along with the other
required OS components. The complete process follows a chain of custody: if the first signature
check allows loading the disk, then the remaining stages also allow loading since it checks only
the previous stage signature instead of checking the Ramdisk signature.
In DFU (Device Firmware Upgrade) mode, iPhone goes through the boot sequence with
signature checks. Initially, BootROM signature checks iBSS/iBEC and kernel. In turn, kernel
checks Ramdisk. While iOS update processes, Ramdisk loads to RAM and other OS components.
Blackhat experts discovered vulnerabilities in BootROM. Using some of the tools, the BootROM
signature, and therefore all subsequent stages of signature verification, can be bypassed. The
second hurdle in iOS booting is encryption. Encryption keys can be obtained using some of
jailbreaking tools.
Module 13 Page 1282
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Booting iPhone in DFU Mode
Connect the iPhone to a computer and launch iTunes
Turn the iPhone off
Hold down the sleep/power button and home button together for exactly 10 seconds, then release
the power button
Continue to hold down the Home button until a message appears in iTunes saying that “iTunes has
detected an iPhone in recovery mode”
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The main reason for connecting the device in the DFU mode is to change the firmware of the
mobile phone. Using DFU mode, the user can downgrade the OS and firmware or use custom
firmware. Generally, jailbreaking devices or SIM unlocking devices use this procedure.
The display completely turns OFF while running in DFU mode; this confirms that the mobile is
connected in the DFU mode. If it displays any of the logo on the screen, it represents that the
mobile is connected in the standard recovery mode; then, it repeats the steps again to connect
the device in DFU mode. To exit from the DFU mode, the user must press and hold the Home
and sleep/power buttons together on the device when connected.
Module 13 Page 1283
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
Mobile Storage and Evidence
Locations
Internal Memory
SIM Card
External Memory
RAM, ROM or flash memory
(NAND / NOR) is used to
store mobile phone's OS,
applications and data
Stores personal information,
address books, messages,
and service-related
information
Stores personal information
such as audio, video,
images, etc.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The possible locations in the mobile phone where investigators can find the evidence are
classified into three types of memory storage. In the early days of mobile forensics, evidence
was associated only with SMS, MMS, contact lists, call logs, IMEI/ESN information, but
currently, it is also associated with data stored in the following mobile storages. The
investigator finds the mobile storage of a mobile phone in three locations:
Internal Phone Memory: It includes data stored in RAM, ROM, or flash memory. It stores the
Mobile phone's OS, applications, and data. The investigator can extract information from
internal phone memory using AT commands with the help of a USB cable, infrared, or
Bluetooth.
SIM Card Memory: It includes data stored in the SIM card memory. The SIM stores personal
information, address books, messages, and service-related information.
External Memory: It includes data stored in SD card, MiniSD Card, MicroSD, etc. It stores
personal information such as audio, video, and images.
Module 13 Page 1284
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
What Should You Do Before the
Investigation?
Build a Forensics Workstation
Build the Investigation Team
Review Policies and Laws
Notify Decision Makers and Acquire Authorization
Risk Assessment
Build a Mobile Forensics Toolkit
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Preparation takes many steps before starting an actual forensics investigation. The investigator
needs to prepare and check several prerequisites such as the availability of tools, reporting
requirement, and legal clearances in order to conduct a successful investigation. It is necessary
to plan and consult with the concerned persons, which is required before, during, and after the
investigation.
The investigator must follow the following steps before performing a forensic investigation:
1. Build a Forensics Workstation
Investigators build forensic workstations to perform forensic investigation on mobile
devices. The workstation includes hardware and software tools in the lab such as laptop
or desktop computer, USB connector, FireWire, mobile forensics toolkit, cables
(including Bluetooth and IR), SIM card reader, and micro-SD memory card reader.
2. Build the Investigation Team
The investigation team consists of persons who have expertise in responding, seizing,
collecting, and reporting evidences from the mobile devices.
3. Review Policies and Laws
Before starting the investigation process, investigators need to understand the laws
pertaining to the investigation. They must also be aware of the potential concerns
associated with Federal laws, State statutes, and local policies and laws before
beginning the investigation.
Module 13 Page 1285
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator
Mobile Forensics
Exam 312-49
4. Notify Decision Makers and Acquire Authorization
Decision makers are authorities who implement the policies and procedures for
handling an incident. The decision maker must be notified for the authorization when
written incident response policies and procedures do not exist.
5. Risk Assessment
Risk assessment measures the risk associated with the mobile data, estimating the
likelihood and impact of the risk. Risk assessment is an iterative process and it assigns
priorities for risk mitigation and implementation plans.
6. Build a Mobile forensics Toolkit
Investigators require a collection of hardware and software tools to acquire data during
the investigation. The investigator needs to use different tools to extract and analyze
the data, depending on the make and model of the phone seized.
Module 13 Page 1286
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
