When Computer

Forensics & Mobile

Forensics Collide

Speaker Introduction

• Rob Schroader, CEO• rob@Paraben.com• 801-796-0944

• 10 years of experience with digital forensic professionals

• iPhone addict

The Forensics of Things

• What is a Computer?

• What is a Mobile Device?

• What Else Connects to Internet/Social Media?

The Forensics of Things

• iPhone 6 – A7 Processor: • Dual Core 1.38 GHz Processor

• 1 GB LPDDR3 RAM

• 128 GB Storage

• Huawei Ascend Mate 7• Quad Core 1.8 GHz Processor

• 2/3 GB RAM

• 32 GB Storage

• microSD Slot (128 GB)

The Forensics of Things

• My Laptop• Dual Core 2.0 GHz Processor

• 2 GB RAM

• 122 GB Hard Drive

What you do is the same as your suspect does with…• A computer

• Surf the internet

• Type documents

• Games

• Email

• A tablet• Play games

• Surf the internet

• Email

• A cell phone• Call friends

• Text friends

• Social Media

• Apps, Apps, Apps

Know Your Risks• Device Type

• Computer

• Mobile

• Environment• Weather

• Signals

• People• There is no license to operate a computer/mobile.

Where’s the Data?

•Computer

•Mobile Device

•Mobile Data on Computers

•The Cloud…The Dreaded Cloud!!!

Forensic Rules• Chain of Custody

• First Responder is lab

• Documentation• Set procedures

• Hash Validation• Math is your friend

• Tools & Methodologies• Validate tools before the field

Forensic Tools Questions• Is it read only?

• Yes

• No

• Can I repeat my results?

• What are your validation steps?

Forensic Tools Questions• Is the data verified and if so how?

• What hash values are used?

• Can those values be repeated?

• Are there other validations?

• Was it designed for forensics, and are the images gathered valid?

• Is it a commercial tool that is being used in forensics?

• How is the image file created?

Non-Forensic

• Does Anything Go?

• Preserve Data

• Do No Harm

• Tools You Use

Outsourced vs. Internal

• Costs

• Time

• Capabilities• Tools

• People

• Collection Only?

• Collection Plus Analysis?

Computers vs. Mobiles

• File Systems• Windows (NTFS, FAT – Registry)

• MAC (HFS, HFS+)

• iPhones (iOS – Applications)

• Drives vs. Memory

• Logical vs. Physical

• Amount of Data

Computer Triage• Targeted Collection

• Deleted Data• Is it necessary?

• Email

Computer Triage• Chat Logs

• Internet History

• Recent Documents

• Registry Data

Mobile Triage• Logical Acquisition

• Deleted Data• Is it necessary?

• Backup Files

• Call Logs

Mobile Triage• SMS

• Email – Not Likely

• Contacts

• Internet History• Chrome Account?

Computer Triage Example• DP2C

• Targeted Data Collection

• Bootable

• Easy to Use

• P2C Data Triage• Windows Systems

• iTunes Backups

• Mobile Device Acquisitions (DS Case Files)

Computer Triage Example• DP2C

Computer Triage Example• DP2C

Computer Triage Example• DP2C

Computer Triage Example• DP2C

Computer Triage Example• P2C Data Triage

Computer Triage Example• Limitations

• Not Comprehensive

• Registry and System Files

• Time Constraints

Storage Devices• SD Cards

• Used for Computer or Cell Phone?

• Significant Data Storage (128 GB)

• Computers• Documents

• Program Files (QB, Quicken, Photoshop, Flow Charts, etc.)

• Multimedia

• Phones• Photos

• Multimedia

• App Data

Examples

• From Device

• From Computer

Examples

• Apps• Parsed

Examples

• Apps• Not Parsed

Examples

• Drop Box on Computer

Examples

• Drop Box on iPhone

Examples

• Computer Shows• 135 Files

• iPhone Database Shows• 978 Files

• Not All Listed Files Still on Phone

Examples • Mass Storage Devices (SD Cards, USB Drives, Etc.)

Should You Triage?

• Can be Easy

• Cost Savings

• Immediate Results

• Expanded Skill Set

• Anyone Can Do It

Any Questions?