dr raymond choo, cloud security alliance - mobile devices and their implications for forensic...
DESCRIPTION
Dr Raymond Choo, Research Director, Cloud Security Alliance and Senior Lecturer, School of Information Technology and Mathematical Sciences, University of South Australia delivered the presentation at the 2014 Police Technology Forum. The Police Technology Forum 2014 seeks to address technology innovation, evolution and development within Australia’s law enforcement industry. In two days, a panel of experts gather to examine opportunities, initiatives and issues facing organisations both in front line policing as well as in wider law enforcement industry, including transport, border protection and surveillance. For more information about the event, please visit: http://www.informa.com.au/policetechforumTRANSCRIPT
Police Technology Forum
Mobile devices and their implications for
forensic investigations in Australia
Dr Kim-Kwang Raymond Choo
Information Assurance Research Group
University of South Australia
How many of us do NOT have at least one smart mobile device (e.g. Android, iOS – iPhone or iPad, Windows and Blackberry)?
Differences between a smart mobile device and a PC/”traditional” laptop?
• Apps (other than a Windows 8 PC or laptop)? – What are the types of apps you have installed on your
devices? Email, Cloud Storage (e.g. Dropbox), Social networking, VoIP, etc … ?
Poll
3
How many of us
READ / RESEARCH
the type of permissions apps
are asking for at the time of
installation?
4
Do you know what your apps have just requested for?
What do mobile apps have to do with forensic investigations?
1.What is the best method of identifying app usage on a smart mobile device?
2.Do you know what data / remnants remains on a smart mobile device after the user has used one or more apps?
Mobile apps and forensic investigations
Part I: Cloud Forensics
Part II: Mobile Device and App Forensics
Part III: Data Reduction Framework
• Potentially more difficult to acquire and analyse digital evidence to the same standards as that currently expected for traditional server-based systems, such as
• An exact and verifiable digital copy of the users’ data must be made;
• Identifying and copying the contents of the RAM of the virtualised environment;
• There must be provenance;
• Evidence of intent must be proved;
• Data must be analysed and processed in accordance with the prevailing rules of evidence; and
• Evidence must be preserved and made available for examination by the defendant’s legal team.
• Examination and analysis using digital forensics tools such as Encase®, FTK™ and XRY™ will need to be augmented by “translators” which convert popular cloud computing file formats into data files for processing.
Challenges of cloud forensics
“little guidance exists on how to acquire and conduct forensics in a cloud environment”
(National Institute of Standards and Technology 2011, p.64)
“[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and
often outdated. There are no guidelines specific to evidence gathered in the cloud…”
(Birk and Wegener 2011, p.9)
“[m]ore research is required in the cyber domain, especially in cloud computing, to identify
and categorize the unique aspects of where and how digital evidence can be found. End
points such as mobile devices add complexity to this domain. Trace evidence can be found
on servers, switches, routers, cell phones, etc” by previous Director of US Department of
Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force
Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15)
Need for evidence-based digital forensic framework to
guide investigations, which is • Flexible/generic enough to be able to work with future providers
offering new services, yet
• Be able to step an investigation through a formalized process to
ensure information sources are identified and preserved.
Challenges of cloud forensics
Itera
tive
1. Commence (Scope)
Determine the scope of the investigation, the requirements and limitations, prepare
equipment and expertise.
2. Identification and Preservation
It is critical that preservation commences as soon as cloud computing use is discovered
in a case, as such it is combined with identification in this model.
3. Collection
The potential difficulties in collection of cloud computing data dictates the requirement for
collection to be represented as a separate step.
4. Examination and Analysis
Examination of the collected data allows the investigator to locate the evidence in the
data, analysis transforms this data into evidence.
5. Reporting and Presentation
This step relates to reporting and presenting evidence to court. As such this step will
remain mostly unchanged.
6. Feedback and Complete
This step relates to a review of the findings and a decision to finalise the case or expand
the analysis.
Adapted from Martini and Choo (2012) and Quick and Choo (2013); and appeared in Quick, Martini and Choo (2014)
Our published cloud forensics framework
• The initial focus of our research has been in the area of
Storage as a Service (StaaS).
• Client analysis: Three popular public storage clients have
been analysed across both PC and mobile devices.
• Client and server analysis: One of the preeminent open
source cloud storage products (ownCloud) has also been
analysed.
– Australia’s Academic and Research Network (with over
one million end users from 38 Australian universities,
CSIRO and other academic, research and education
institutions) is deploying ownCloud as the basis for its
CloudStor+ service.
Cloud forensics
System tray link RAM password
cleartext
DBAN
Dropbox Yes Yes No
Microsoft Skydrive Yes (but not full
access to an
account)
Yes No
Google Drive Yes Yes (and also on HDD) No
Eraser/CCleaner Configuration files Mobile
Dropbox Remnants Yes (Old) / Encrypted
(New)
Browser
Microsoft Skydrive Remnants Yes Browser
Google Drive Remnants Yes Browser
Cloud forensics
A snapshot of our findings from the client analysis
Cloud forensics
Our recent book
For our new book entitled “Cloud Storage Forensics, 1st Edition”, please visit
http://store.elsevier.com/product.jsp?isbn=9780124199705. The book’s
forewords are written by Australia’s Chief Defence Scientist and the Chair
of Electronic Evidence Specialist Advisory Group, Senior Managers of
Australian and New Zealand Forensic Laboratories.
• Examine other cloud services to determine
the best practices for forensic extraction and
analysis on these platforms as there will
most certainly be variation in the collection
methods in each type of cloud platform and
deployment model
Cloud forensics
Ongoing Work
Part I: Cloud Forensics
Part II: Mobile Device and App Forensics
Part III: Data Reduction Framework
• iOS Forensics – Develop a practitioner-based iOS forensic technique to identify and
acquire deleted data from an HFS Plus volume in an iOS device.
– The technique also allows forensic practitioners to verify the
timestamps of the recovered image file.
–
iOS Forensics
Cloud and Mobile Forensics
Ongoing Work
• iOS Anti-Forensics
– “Concealment” technique to enhance the
security of non-protected (Class D) data that is
at rest on iOS devices,
– “Deletion” technique to reinforce data deletion
from iOS devices, and
– “Insertion” technique to insert data into iOS
devices surreptitiously that would be hard to pick
up in a forensic investigation.
iOS anti-forensics
Ariffin A, D'Orazio C, Choo K-K R and Slay J 2013. iOS Forensics: How can we recover deleted image files with timestamp in a forensically
sound manner?. In International Conference on Availability, Reliability and Security (ARES 2013) (pp. 375–382), University of Regensburg,
Germany, 2 – 6 September 2013
D’Orazio C, Ariffin A and Choo K-K R 2014. iOS anti-forensics: How can we securely conceal, delete and insert data?. In 47th Annual Hawaii
International Conference on System Sciences (HICSS 2014), pp. 4838–4847, 6–9 January 2014, IEEE Computer Society Press
Aim: To examine ten popular freely available Android VoIP apps to determine whether voice and text communications using these applications are encrypted.
What this study is not about …
• Motivations: – VoIP and video chat from smart mobile devices
are an increasingly popular choice for consumers. It is important to understand the limitations of these technologies.
• App-to-app communication channel • Wi-Fi network to Wi-Fi network
• Mobile data network to mobile data network
• Mobile data network to Wi-Fi network
• Wi-Fi network to mobile data network
18
VoIP apps
VoIP Apps Text
communication
encrypted?
(Yes/No)
Cluster in Histogram
Analysis
Entropy Analysis Voice
communication
encrypted?
(Yes/No)
Sample1 Sample2 Sample1 Sample 2
Skype Yes No No Steady Steady with
sudden changes
Yes
Google Talk Yes No No Gradual change Gradual change Yes
ICQ Yes Yes Yes Uneven Steady changes No
Viber Yes Yes Yes High fluctuation High fluctuation No
Nimbuzz Yes Yes Yes Steady changes Steady changes Yes
Yahoo No (messages
sent by user)
Yes (messages
received by
user)
No No High
fluctuations in
the beginning
High fluctuation No
Fring Yes Yes Yes High fluctuation High fluctuation No
Vonage Yes Yes Yes Steady with few
spikes
Steady with few
spikes
No
WeChat Yes Yes Yes Even and
uneven
Even and uneven No
Tango Yes No No High fluctuation Steady changes Yes
Android VoIP apps
Android VoIP
Apps
Encryption of
Text/ Voice
Communication Channel
w2w
m2m
m2w
w2m
Skype Text Y Y Y Y
Voice Y Y Y Y
Google Hangout
Text - Y Y Y Voice - Y Y Y
ICQ Text Y Y Y Y
Voice N N N N
Viber Text Y Y Y Y
Voice N N N N
Nimbuzz Text Y Y Y Y
Voice Y Y Y Y
Yahoo Text N N N N
Voice N N N N
Fring Text Y N N N
Voice N N N N
Vonage Text Y N N N
Voice N N N N
Wechat Text Y Y Y Y
Voice N N N N
Tango Text Y Y Y Y
Voice Y N N N
These three
VoIP apps
might be
silently turning
off encryption
whenever a
mobile
network is
involved.
Android VoIP apps
Azfar A, Choo K-K R and Liu L 2014. A study of ten popular Android mobile VoIP applications: Are the communications encrypted?. In 47th
Annual Hawaii International Conference on System Sciences (HICSS 2014), pp. 4858–4867, 6–9 January 2014, IEEE Computer Society
Press
Windows event forensic process (WinEFP)
Do Q, Martini B, Looi J M J, Wang Y and Choo K-K R 2014. Windows Event Forensic Process (WinEFP). In IFIP WG 11.9 International
Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, IFIP Advances in Information and Communication
Technology, Springer-Verlag, 8 – 10 January [In press]
Mobile forensics : A rat race
Mobile forensics: A race not only to keep up with device (i.e. hardware) and
software (e.g. app and operating systems) releases by providers, but also
from software and hardware modifications made by end users, particularly
serious and organised criminals, to complicate or prevent the collection
and analysis of digital evidence. • ‘Thousands of encrypted phones are believed to be in Australia and the officials
say some of the phones are suspected of being used to send the most
dangerous messages imaginable - those that lead to murder … [and] Police
believe one of Australia's most violent outlaw bikers used uncrackable
encrypted phones to order some of the shootings that have rocked Sydney’
(Australian Broadcasting Corporation 2014).
• NSW Crime Commission’s 2012-2013 annual report stated that ‘[a]s in the last
reporting period, criminal groups continue to exploit mobile-phone encryption
methods. Some companies, which appear to be almost exclusive set-up to
supply criminal networks, provide mobile-phones for around $2,200 … The
Commission believes the phones are almost exclusively used by criminals and
there are limited legitimate users for such heavily encrypted phones in the wider
community’.
Part I: Cloud Forensics
Part II: Mobile Device and App Forensics
Part III: Data Reduction Framework
Digitalisation of data
1. Increasing data volume and cost implications
2. Digital forensic practitioners, especially those in government and law
enforcement agencies, will continue to be under pressure to deliver
more with less especially in today’s economic landscape. This gives
rise to a variety of needs, including
• a more efficient method of collecting and preserving evidence,
• a capacity to triage evidence prior to conducting full analysis,
• reduced data storage requirements,
• an ability to conduct a review of information in a timely manner for
intelligence, research and evidential purposes,
• an ability to archive important data,
• an ability to quickly retrieve and review archived data, and
• a source of data to enable a review of current and historical cases
(intelligence, research, and knowledge management).
Data reduction framework for digital forensic evidence
storage, intelligence, review and archive
Initial research with sample
data from South Australia
Police Electronic Crime
Section and Digital Corpora
forensic images using our
proposed framework
resulted in significant
reduction in the storage
requirements – the reduced
subset is only 0.196% and
0.75% respectively of the
original data volume.
Quick D and Choo K-K R. Data reduction framework for digital forensic
evidence storage, review and archive. Trends & Issues in Crime and Criminal
Justice [In press, accepted 11 March 2014]
Dr. Kim-Kwang Raymond Choo
2009 Fulbright Scholar
Research Director, Cloud Security Alliance, Australia Chapter
Senior Lecturer, School of Information Technology & Mathematical Sciences,
University of South Australia
URL: https://sites.google.com/site/raymondchooau/
Email: [email protected]
Google Scholar:
http://scholar.google.de/citations?user=rRBNI6AAAAAJ&hl=de