Thursday, May 15, 2014

Some thoughts about mobile forensics tools

Recently I've been talking about mobile forensics with some people from prominent mobile forensic vendors. I was curious to ask why their (and other vendors too) does not use IP connection to acquire data from smatrphones. Such question was asked few times before but never get any answer. This time answer was a bit of  surprise and why not to roll the idea. It was shocking revelation .. and I'm still not sure if this is not just a joke answer to my question.

So let me put some theory on the paper ...

Mobile forensics is wild, uncharted area with extreme development, cycle is fast, possible gains in market share are big, there are miriard of various phones each vastly different as devices

Since devices start to be a real computers pretending to be a phone while having a real operating system, huge storage space and memory thing get different perspective ...

Mobile forensic vendors are traditionally locked into approach "do-one-phone" at the time, while accessing phone over serial line, usb, bluetooth or IR connection. If we compare current mobile forensic tools to general purpose forensic tools there are huge differences, no standard format, ability only to handle phones, limited number of device images in one case and only recently some analylitics on extracted data. I even don't like to mention problems in interopretations among tools.

This are all sings of young, unmature market and fast development cycle. I suppose cycle is so fast that it keeps vendors locked in their niche, without much time to look from wider position.
As soon as mobile networks develop data transfer over TCP/IP mobile devices get a new access method
IP interface over 3G/2G network or wifi access. Strangely this very effective door to phone is not used :)
IP access provides you with practically unlimited number of devices being analyzed from one forensic workstation, limitation is in licencing and bandwidth.

First question to answer is is this approach forensically acceptable ?  This is actually a key method in live and network forensics where live machines are acquired and analyzed in forensically sound way over IP, for details there are many tools, enterprise wide forensic tools encase  ftk,  fsecure ... Same for some anti-malware tools and ability to remotely erase the mobile device.
Access methods are various but rely on the same idea.

There is one very interesting quirk also, this tools have support for mobile devices but strangely no over IP. I was not recently on the encase support site, but when I was there last time there is a thread where people ask why there is not yet a servlet for android or ios, servlet is encase forensic agent for remote access.

One of the possible explanation is in history of now defunct product Neutrino, encase mobile phone version. It failed because vendor was unable to provide resources to keep it with phone development .. each phone  model requires a lot off effort to keep it in system.What was left is support for smartphones almost as hunchback on encase today since it looks not fully integrated. This provides a reason for reluctance in pushing servlet technology to smartphones.

If we forget about existing enterprise forensic tools what can used for proof of concept ? There is one old, reliable tool, CF engine very reasonable tool to try. It works on  ios, andriod and windows it is logical test-bed to try, especially since it is event driven.













No comments:

Post a Comment