443-451-7330
Posted By admin
In Mobile Device Forensics, it is often necessary to use multiple methods and tools to obtain the most useful information from the device. For example, let us look at acquisition challenges associated with Windows Mobile.
Security configuration is one of the first barriers to acquiring digital evidence from a device running Windows Mobile, even when there is no password protection. The reason is simple: Windows Mobile is often configured to prevent unsigned applications from running. Many forensic tools need to transfer and execute a customized application on the mobile device in order to acquire data. So, if the software agent for a particular forensic tools is not signed, it will not run and you will not get any data.
Even when this security protection is disabled, files that are routinely used by the operating system cannot be copied using certain tools, including some forensic acquisition tools. For instance, an attempt to copy the pim.vol file using Microsoft’s Remote File Viewer generates an error as shown here.
In the case of pim.vol, this file can be copied logically when a Windows Mobile device is mounted via ActiveSync. However, you will have no such luck copying files like cemail.vol and the registry (mxip_system.vol) in this way. Although some mobile device forensic tools can extract limited information from these locked files, it is important to also have a copy of the original file for forensic examination.
Warning: some forensic tools will appear to copy files that are locked by the Windows Mobile operating system, but do not actually acquire the contents, resulting in an empty file container in the case file. The tool may tag the file as locked, but there is not log/error generated so you would have to be looking closely at the specific file to see this. An unsuspecting forensic examiner might perform a keyword search of acquired data with no results, not realizing that relevant data had not been acquired.
To gain access to more digital evidence on Windows Mobile devices, including some deleted data, it is necessary to get physical. For example, using a forensic tool like XACT, which is designed to acquire and analyze physical memory of mobile devices, it is possible to extract significant amounts of data from Windows Mobile devices, including files like cemail.vol, pim.vol, and the registry. Data in an acquired cemail.vol file, which includes text message (SMS), are displayed here with some text readily viewable.
Acquiring these files is only the first challenge. It is then necessary to interpret the data they contain. Interpreting text message and other useful data structures found in files and raw memory on mobile devices can give additional interesting information, including associated metadata. One approach that can be effective in some cases is to view the acquired file in a Windows Mobile emulator using a utility like Pocket dbExplorer. Although it can be fruitful to examine acquired data in this way, it may not provide access to all of the information you might be interested in relating to an investigation. This is why it is important to also use forensic tools that can query the operating system for specific details about the data it contains (even if they cannot copy the entire container file). Acquiring the same Windows Mobile device using .XRY provides the following valuable metadata associated with the raw data displayed above, including the timestamp associated with the message and what folder it is stored in on the device.
Bottom line: to obtain the most information from an evidentiary device it is advisable to acquire data using multiple tools and, wheneve feasible, performing both a logical and physical acquisition. In the upcoming SANS Mobile Device Forensics course [http://www.sans.org/training/description.php?mid=1297] in Baltimore on July 27-31, we cover logical and physical acquisition and analysis of cell phones. We have plenty of hands-on exercises employing a variety of tools to help practitioners develop the ability to acquire and analyze data from various kinds of mobile devices.
Tags: mobile
This entry was posted on Sunday, May 17th, 2009 at 8:32 pm and is filed under Mobile Device Forensics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.