The scenarios for the DFRWS 2011 Forensics Challenge were two seemingly unrelated crimes that turned out to be tightly linked with each other. The first scenario was a suspicious death and the goal of the investigation was to determine whether the victim killed himself or was murdered. The second scenario was an intellectual property theft case and the goal of the investigation was to document any evidence that intellectual property was stolen and to support termination of the suspected insider.

An interesting outcome of the challenge was that using dd to acquire data from the Android device in Scenario 1 did not copy the important information in out-of-band (OOB) areas of the YAFFS2 file system. As a result, it was not possible to reconstruct the file system. However, contestants were still able to carve out usable content from this data.

The winning submission provides a technical analysis of data structures found in memory dump from Android mobile devices and provides an Android analysis toolkit that extracts specific items and formats them in a report. Using this toolkit to perform a forensic examination of a full NAND dump of a YAFFS2 file system (such as in Scenario 2 of the DFRWS 2011 Forensics Challenge) first requires the file system to be mounted under Linux as an emulated Flash device (using nandsim).

A sample of the information extracted by the winners from the SQLite database located on the Android device in Scenario 2 (mtd8\data\com.android.providers.telephony\databases\mmssms.db) is provided here:

Much more information was extracted from both Android devices as detailed in the reports, which include an impressive graphical reconstruction of events.

However, even when a tool can acquire the entire file system from a mobile device, it may not be able to display items of interest like MMS messages. In such situations, the forensic examiner must locate the desired information within the file system and interpret it themselves.

This is one of the main reasons why it is important for practitioners to have an understanding of the underlying technology, and not be overly reliant on automated tools.

Locating MMS Data

A good example of when a tool can acquire but not display evidence of interest came up in a recent case involving MMS messages on a Verizon LG phone. Although the commonly used tool called Cellebrite could acquire data from the mobile device, including a copy of the file system, it did not present MMS messages in the output report. As a result, the investigating agency was only able to view the incriminating evidence through the device itself by performing a manual “scroll” examination.

Until cmdLabs came along to help…

By examining the file system acquire using Cellebrite, we found MMS messages in the “mms” folder on the LG device. For the sake of illustration, this file system location is shown using BitPim.

The MMSMsg.db file contains metadata associated with the messages, and the PDU files contain the original file name as well as the actual data of the pictures and videos in the message. The header of one PDU file is shown here, revealing some Synchronized Multimedia Integration Language (SMIL) tags and the original file name on the device (0920091201a.3g2).

Even after the original video file is deleted from the device, a copy remains in the MMS message.

Extracting MMS Data

The media portion of the PDU message file can be extracted using simple file carving techniques. Although you could remove the file header manually using a hex editor, it is more effective to use a file carving tool like Foremost. By automating the file carving process, your process is repeatable. In addition, Foremost generates an audit log that can be useful for forensic documentation purposes.

The file header (a.k.a. signature) of the 3gp videos from an LG VX series device is “ftyp3g2a” preceded by 4 bytes. The configuration entry for the Foremost file carving tool is shown here:

3gp	y	4000000	????\x66\x74\x79\x70\x33\x67\x32\x61

Using a configuration file that contains the above signature, the command ‘foremost -c foremost.conf MMS*‘ will extract the 3gp video content from PDU files acquired from an LG device. The resulting videos will be saved in the default Foremost output directory and can be played using Quicktime as shown here.

For those forensic practitioners who are interested in learning more about mobile device forensics and related data recovery techniques, cmdLabs is teaching the SANS Mobile Device Forensic course (SEC 563) in New Orleans from January 11–15, 2010 and again in San Antonio from January 25–29, 2010.

https://www.sans.org/webcasts/show.php?webcastid=92648

If you have any comments or suggestions regarding the presentation or anything else, please shoot us an e-mail at contact@cmdlabs.com.

Security configuration is one of the first barriers to acquiring digital evidence from a device running Windows Mobile, even when there is no password protection. The reason is simple: Windows Mobile is often configured to prevent unsigned applications from running. Many forensic tools need to transfer and execute a customized application on the mobile device in order to acquire data. So, if the software agent for a particular forensic tools is not signed, it will not run and you will not get any data.

Even when this security protection is disabled, files that are routinely used by the operating system cannot be copied using certain tools, including some forensic acquisition tools. For instance, an attempt to copy the pim.vol file using Microsoft’s Remote File Viewer generates an error as shown here.

In the case of pim.vol, this file can be copied logically when a Windows Mobile device is mounted via ActiveSync. However, you will have no such luck copying files like cemail.vol and the registry (mxip_system.vol) in this way. Although some mobile device forensic tools can extract limited information from these locked files, it is important to also have a copy of the original file for forensic examination.

Warning: some forensic tools will appear to copy files that are locked by the Windows Mobile operating system, but do not actually acquire the contents, resulting in an empty file container in the case file. The tool may tag the file as locked, but there is not log/error generated so you would have to be looking closely at the specific file to see this. An unsuspecting forensic examiner might perform a keyword search of acquired data with no results, not realizing that relevant data had not been acquired.

To gain access to more digital evidence on Windows Mobile devices, including some deleted data, it is necessary to get physical. For example, using a forensic tool like XACT, which is designed to acquire and analyze physical memory of mobile devices, it is possible to extract significant amounts of data from Windows Mobile devices, including files like cemail.vol, pim.vol, and the registry. Data in an acquired cemail.vol file, which includes text message (SMS), are displayed here with some text readily viewable.

Acquiring these files is only the first challenge. It is then necessary to interpret the data they contain. Interpreting text message and other useful data structures found in files and raw memory on mobile devices can give additional interesting information, including associated metadata. One approach that can be effective in some cases is to view the acquired file in a Windows Mobile emulator using a utility like Pocket dbExplorer. Although it can be fruitful to examine acquired data in this way, it may not provide access to all of the information you might be interested in relating to an investigation. This is why it is important to also use forensic tools that can query the operating system for specific details about the data it contains (even if they cannot copy the entire container file). Acquiring the same Windows Mobile device using .XRY provides the following valuable metadata associated with the raw data displayed above, including the timestamp associated with the message and what folder it is stored in on the device.

Bottom line: to obtain the most information from an evidentiary device it is advisable to acquire data using multiple tools and, wheneve feasible, performing both a logical and physical acquisition. In the upcoming SANS Mobile Device Forensics course [http://www.sans.org/training/description.php?mid=1297] in Baltimore on July 27-31, we cover logical and physical acquisition and analysis of cell phones. We have plenty  of hands-on exercises employing a variety of tools to help practitioners develop the ability to acquire and  analyze data from various kinds of mobile devices.