Many mobile devices offer the user the ability to perform either a remote lock or remote wipe by simply sending a command (e.g., text message) to the mobile device.
Additional reasons for disabling network connectivity include incoming data (e.g., calls or text messages) that may modify the current state of the data stored on the mobile device. Outgoing data may also be undesirable as delivering the current GPS location to an advisory providing the geographic location of the forensic examiner.
Therefore, forensic examiners need to be aware and take precautions when securing mobile devices mitigating the chance of data modification. The Scientific Working Group on Digital Evidence’s (SWGDE) “Best Practices for Mobile Phone Forensics” document covers best practices for the proper isolation of mobile devices. Some key implications for proper collection are summarized below.
Isolating the mobile device from other devices used for data synchronization is important to keep new data from contaminating existing data. If the device is found in a cradle or connected with a personal computer, pulling the plug from the back of the personal computer eliminates data transfer or synchronization overwrites. It is recommended that a capture of the personal computer’s memory be extracted before “pulling the plug,” as memory acquired generally proves to be of significant forensic value. Caution should be used, as removing a device that performs a software update or backup can potentially corrupt the mobile device’s file system. Qualified digital forensics professionals should use memory forensics tools to capture a personal computer’s memory. Seize the mobile device along with associated hardware. DO NOT remove Media cards, UICCs, and other hardware residing in the mobile device. Also, seizing the computer connected to the mobile device can acquire synchronized data from the hard disk, otherwise not obtained from the device. Any associated hardware such as media cards, UICCs, power adapters, device sleeves, or peripherals should be seized along with related materials such as product manuals, packaging, and software.
Isolating a mobile device from all radio networks (e.g., WiFi, Cellular, and Bluetooth) is important to keep new traffic, such as SMS messages, from overwriting existing data. Besides the risk of overwriting potential evidence, the question may arise whether data received on the mobile device after the seizure is within the scope of the original authority granted. Vulnerabilities may exist that may exploit weaknesses related to software vulnerabilities from the web browser and OS, SMS, MMS, third-party applications, and WiFi networks. The possibility of such vulnerabilities being exploited may permit the argument that data modification occurred during the forensic examination.
Three basic methods for isolating the mobile device from radio communication and preventing these problems are to either: place the device in airplane mode, turn the device off, or lastly, place the device in a shielded container. Each method has certain drawbacks.
- Enabling “Airplane Mode” requires interaction with the mobile device using the keypad, posing some riskless if the technician is familiar with the device in question and documents the actions taken (e.g., on paper or video). Note: airplane mode does not prevent the system from using other services such as GPS in all cases.
- Turning off the mobile device may activate authentication codes (e.g., UICC PIN and/or handset security codes), which are then required to gain access to the device, complicating acquisition and delaying examination.
- Keeping the mobile device on but radio isolated shortens battery life due to increased power consumption as devices unable to connect to a network raise their signal strength to maximum. After some period, failure to connect to the network may cause certain mobile devices to reset or clear network data that otherwise would be useful if recovered. Faraday containers may attenuate the radio signal but not necessarily eliminate it, allowing the possibility of communications being established with a cell tower if in its immediate vicinity. The risk of improperly sealing the Faraday container (e.g., bag improperly sealed, exposed cables connected to the forensic workstation may act as an antenna) and unknowingly allowing access to the cell network also exists.
Some mobile devices are normally configured to enter energy savings mode and shut off the display after a short period of inactivity to conserve power. Some devices also shut themselves off if the battery level drops below a certain threshold to protect data stored in volatile memory, defeating the original purpose of keeping it turned on. Keeping such a device in an active state is troublesome, requiring periodic interaction with the device. If additional power supplies are not available to a device and it is turned off to conserve power and preserve memory contents, the risk of encountering a protection mechanism when turned on again is likely. Moreover, there is usually no deactivation of authentication mechanisms, such as passwords, without first satisfying the mechanism (e.g., supplying the correct password).
The time maintained on the mobile device may be set independently of that from the network. Always record the date and time shown on the handset, if it is turned on, and compare them with a reference clock, noting any inconsistencies. If the screen is dim due to power management, it may be necessary to press an “insignificant” key, such as the volume key, to light the screen.
Security mechanisms, key remapping, and malicious programs may be present on mobile devices. Certain types of modifications to the device’s software applications and operating system might affect the way it is handled. The following is a list of examples of some classes of modifications to consider:
Security Enhancements – Organizations and individuals may enhance their handheld devices with add-on security mechanisms. A variety of login, biometric, and other authentication mechanisms are available for mobile devices may be as replacements or supplements to password mechanisms. Improper interaction with a machine could cause the device to lock down and even destroy its contents. This is particularly concerned with mechanisms that use security tokens whose presence is constantly monitored and whose disconnection from a card slot or other device interface is immediately acted upon.
Malicious Programs – A mobile device may contain a virus or other malicious software. Such malware may attempt to spread to other devices over wired or wireless interfaces, including cross-platform jumps to completely different platforms. Intentional replacement of some common utilities or functions happens with versions of software designed to alter or damage data present on a mobile device. Such programs could be activated or suppressed based on conditions such as input parameters or hardware key interruptions. Watchdog applications get written to listen for specific events (e.g., key chords or over-the-air messages) and carry out actions such as deleting the device’s contents.
- Key Remapping – Remapping hardware keys causes the keys to perform a different function than the default. A keypress or combination of key presses intended for one purpose could launch an arbitrary program.
- Geo-Fencing – Some devices may be configured to automatically wipe all data when the GPS in the device determines that it has left (or entered) a specific predetermined geographic area. This method may also employ WiFi towers for location determination as well.
- Explosives and Booby Traps – Mobile devices may be rigged to detonate bombs remotely or explode themselves if a specific action is carried out on the device (e.g., receiving an incoming call, text message, or pressing a specific key chord sequence, etc.).
- Alarms – Many mobile devices have an audible alarm feature. The alarm function can power on an inactive device, establishing network connectivity and the potential for a remote wipe.
The following sections 4.3.1 through 4.3.3 discuss the use and characteristics of radio isolation containers and cellular network isolation techniques.
13 For more information, visit: http://appleinsider.com/articles/13/05/14/mobile-malware-exploding-but-only-for-android
14 For more information, visit: http://www.scientificamerican.com/article.cfm?id=boston-marathon-bomb-attack