bridging the gap between mobile and computer forensics
TRANSCRIPT
March 1, 2017 COPYRIGHT NUIX 2017 2
Speakers
Paul Slater
Global Head of Investigations, NuixPaul Slater is a subject matter expert with over 20 years of experience in investigations, digital forensics, and eDiscovery. Paul has held senior roles
within law enforcement, corporate and "Big 4" advisories and was a member of the review board for the Association of Chief Police Officers (ACPO)
“Good Practice Guide for Digital Evidence.” Paul also served for two years as interim head of the Digital Forensics Unit in the primary UK agency for
investigating and prosecuting serious and complex fraud, where he designed workflows and implemented technologies to enable them to process
20 times more electronic evidence each year. Paul now uses his expertise to enable Nuix customers to 'master their data' through the design, build, and implementation of digital forensic and eDiscovery solutions.
Carl Barron
Senior Solutions Consultant, NuixCarl is a Senior Solutions Consultant with Nuix, having joined the company in March 2012. He provides pre and post-sale consultancy, technical
support and solution implementation. Carl brings a wide variety of knowledge in both hardware and software with an enthusiast approach to help customers improve workflows. Prior to joining Nuix, Carl worked as a Forensic Technician for a leading Litigation Support Vendor in London.
Mark Wootton
eDiscovery Manager, Yerra SolutionsMark is an eDiscovery Manager with over 20 years of experience as an expert investigator. He specialises in the collection, examination and
presentation of electronic information as evidence for both corporate and law enforcement investigations. Mark has a skill set in complex criminal
investigations to include money laundering, fraud and financial matters and an absolute passion and drive for delivering quality evidence that
assists companies in making risk based decisions.
March 1, 2017 COPYRIGHT NUIX 2017 3
Today’s Agenda
Introduction
Survey/Poll - Growth of mobile devices
Mobile devices in Investigations
Some of the Challenges
Use Cases
Mobile devices in Nuix
Questions
March 1, 2017 COPYRIGHT NUIX 2017 4
What percentage of UK Adults now owns a smartphone?
38%
47%
71%
68%
March 1, 2017 COPYRIGHT NUIX 2017 6
In 2015 – Globally – on average how many text messages were sent?
1 Trillion each year
10 Billion each day
23 Billion each day
50 Billion over the year
March 1, 2017 COPYRIGHT NUIX 2017 7
How many minutes on average does a smartphone user spend on their phones each day?
60 minutes
225 minutes
145 minutes
90 minutes
March 1, 2017 COPYRIGHT NUIX 2017 10
...But what does all this have to do with Investigations?
Many 'smart' devices automatically add GEO-TAGging information to our photographs...
Exhibit 1 – Mobile phone
So we can see where
people have been…
Exhibit 2 - Map
March 1, 2017 COPYRIGHT NUIX 2017 11
...But what does all this have to do with Investigations?
Exhibit 3 – Picture Data
And when they were there....
Exhibit 4 - Suspects
Exhibit 3a – EXIF Data
And often – who they
were with!
March 1, 2017 COPYRIGHT NUIX 2017 12
Exhibit 5 – Cell Tower Analysis
And because most smart phones also track our
physical movements (either overtly or
covertly)....we can see where people have been
Exhibit 5 – Cell Tower Analysis
March 1, 2017 COPYRIGHT NUIX 2017 13
#1 Forensic Acquisition is slow and costly
Exhibit 6 - Challenges
March 1, 2017 COPYRIGHT NUIX 2017 14
#1 Forensic Acquisition is slow and costly
Exhibit 7 – Usual Suspects
?
March 1, 2017 COPYRIGHT NUIX 2017 15
#1 Forensic Acquisition is slow and costly
Forensic Acquisition Notes:
Device : iPhone 64GB
Start time : 12:00 hrs
End time : 18:00 hrs
Exhibit 21 – Phone Report
March 1, 2017 COPYRIGHT NUIX 2017 17
#2 And Difficult
“On devices running iOS 8 and
later versions, your personal
data is placed under the
protection of your passcode. For
all devices running iOS 8 and
later versions, Apple will not
perform iOS data extractions in
response to government search
warrants because the files to be
extracted are protected by an
encryption key that is tied to the
user’s passcode, which Apple
does not possess.”
Apple Inc 2016
iOS Physical Acquisition
Technique only works on
jailbroken 32bit devices or 32bit
devices with known passcode
than can be jailbroken by
investigator.
*No current jailbreak for latest
version of iOS
(*accurate at time of writing)
iOS Logical Acquisition
If a passcode is known (or there
is a way of finding it out) the
investigator can cause the
device to produce an offline
backup via iTunes. This backup
can subsequently be analysed –
with some restrictions.
iCloud – “Over the Air”
Acquisition
Backups are incremental
and occur automatically
every time that the device
is locked, charging and
connected to a known WIFI
network
(all conditions must be met)
March 1, 2017 COPYRIGHT NUIX 2017 19
#2 And Difficult
Sending to Manufacturer
Samsung has an official
policy to support information
extraction when serving a
Government request.
However – Android is a highly
fragmented platform with
several hundred
manufacturers – and
thousands of device models.
Physical Acquisition of
Android Devices
Success depends on:
Make, model, carrier, Android
version, user settings, root
status, lock status, whether
PIN code is known and
whether “USB debugging”
option is enabled.
“….Won’t know until you try!
JTAG Forensics
Uses Joint Test Action Group
(JTAG)port to access raw
data in the device. Often
works for locked, damaged or
otherwise inaccessible
devices.
However –if the disk is
encrypted – this process will
produce an encrypted image
Chip-Off Acquisition
Low level, destructive
acquisition via physical de-
soldering of memory chips
and specialised hardware to
read device contents. If
encryption has not been
enabled it will produce a full
binary image – including
unallocated space
NANDroid Backups
For rooted devices – this
process can extract a full
file system of the device by
generating a NANDroid
backup – created by
booting the device into a
custom recovery mode.
March 1, 2017 COPYRIGHT NUIX 2017 20
#3 Computers and mobile devices are often examined separately
Exhibit 10 - Seized Items
March 1, 2017 COPYRIGHT NUIX 2017 21
#3 Computers and mobile devices are often examined separately
Exhibit 32 - Report(s) from phones
Exhibit 21 - Report(s) from computers
March 1, 2017 COPYRIGHT NUIX 2017 22
#3 Computers and mobile devices are often examined separately
Which can make it
almost impossible
to identify and
review evidence
and identify
intelligence across
multiple data
sources, devices
and crime scenes...Exhibit 34 – map showing crime scenes
March 1, 2017 COPYRIGHT NUIX 2017 24
Single Pane of Glass view into all the data
Whilst we are not quite at Minority
Report just yet…….…BUT
March 1, 2017 COPYRIGHT NUIX 2017 26
Case Studies
Expenses Fraud
– Person utilising work related mobile device and laptop to
continue about their normal work. They submit claims /
expenses for multiple trips for fuel consisting of several
hundred pounds a week for over a year.
– The download of the phone linked to location data provided
evidence to support they were not where they claimed to be
at a specific time.
– This cross referenced with other information to
include internet activity from their laptop demonstrated they
were on the internet when alleged they had travelled.
March 1, 2017 COPYRIGHT NUIX 2017 27
Case Studies
WhatsApp Chat
– Examination of multiple devices linked to suspects
involved in fraudulent activity. ”WhatsApp” messages
identifies banking information, location information and
images shared linked to the fraud.
– By creating a timeline of events you could see across
multiple phones the movement of suspects to agreed
locations for the drop of goods and the ultimate collection
of money.
March 1, 2017 COPYRIGHT NUIX 2017 28
Case Studies
Linking activity across devices/platforms
– Examination of activity from an iPad, iPhone
and iTouch.
– Identified they had wiped their mobile phone,
however - the iPad & iTouch linked to the
phone also recorded the Internet activity & call
records.
– iPhone "Handoff" enabled, therefore calls made
on mobile phone, could have come through
iTouch, iPad, Mac, etc.
March 1, 2017 COPYRIGHT NUIX 2017 30
In summary
• Mobile device usage will keep on growing –
investigators need to be prepared
• Current methods and tools make it lengthy,
difficult or just not possible to see the
complete picture of the case
• Nuix supports mobile device extractions – just
like any data type
• Link people with objects, locations and events
across all the digital evidence
• Reduce mobile device processing backlogs,
triage and solve cases faster