Smartphone Overload: Preparing to overcome the challenges posed by an abundance of mobile operating systems
Most everyone is familiar with the top three mobile operating systems that have dominated the worldwide smartphone market for a number of years. Android, iOS and BlackBerry are household names, even as they compete among one another each quarter for market share.
This grouping might be comparable to the Windows-Apple-Linux trifecta that has gone largely unchanged since the early 1990s, when Windows rose to attain—and maintain—a 90-percent market share. However, there are some marked differences.
- Before smartphones gained widespread adoption, the Windows operating system might have been found on a few hundred PC-based platforms. By contrast, each iOS, Android and BlackBerry version might be found on any of several thousand types of smartphones and tablets.
- New PC operating systems are released every few years, whereas new mobile platform versions are released every few months. Eight “flavors” of the Android operating system, six major iOS versions, and five major BlackBerry versions exist—each with its own subsets.
- The “big three” aren’t alone. Windows Mobile/Windows Phone and Nokia’s Symbian operating system have smaller percentages of market share, but Windows Phone 8 is gaining ground. Palm OS may be seen on older devices, while Linux Ubuntu and Samsung Tizen are anticipated sometime this year. And many feature phones run on the Java-based BREW platform.
- With multiple operating systems come multiple file systems. In PCs, Windows uses only the File Allocation Table (FAT), exFAT, and New Technology File System (NTFS). A version of FAT is in use in Windows Mobile and Windows Phone devices. However, dozens of mobile file systems exist across all device families.
- Android may be the most widely installed operating system, but its Apple’s iOS driving most of the data bandwidth usage. And BlackBerry may be in steady decline, but is an important legacy device to many business and personal users.
All of this is not necessarily as complicated as it sounds. If you’re contemplating entering the field of mobile forensics, know that much of the hard work associated with file systems and data structures is now automated. With that said, “I pressed a button and got the data” is still a statement you want to avoid making in court. Here are some additional challenges to keep in mind as you start to investigate mobile devices.
Operating systems and user interfaces
Because the different operating systems run different file systems, they store information in different ways. iPhones, iPads, and other devices running iOS are generally all the same, but decoding an iOS app may not be the same as for an Android app—even if they are the same app. These types of problems are solved with physical extraction and automatic file system reconstruction, or file system extraction if the mobile forensics tool doesn’t support reconstruction.
Differences in file systems may also mean that mobile forensic tools don’t parse some files, which must therefore be carved manually. Logs and other data may be stored differently from one device to the next. For example, the user may change out the SIM card, or the device may change hands. If logs are important to a case, it will take additional effort to find them—whether forensic or legal (i.e. serving paper on one or more carriers to trace device activity).
Possibly the biggest challenge of all is that support for certain “lesser” mobile operating systems, including Windows Phone 7 and 8, is limited. Some vendors focus on support for specific operating systems, but mainly for iOS and Android. Finding forensic tools to support systems that are not one of the “Big Three” may require computer forensic experience.
Built-in security
Security exists on several levels within most smartphones:
- User locks. On iOS devices, this might consist of a simple (4-digit) or complex (longer than four digits) passcode. On Android devices, it can be a PIN lock or password, or a “pattern lock”—a pattern swiped across a touch screen’s numerical keypad.
- Data/file protection. Individual directories, such as email, can be password-protected.
- Device encryption. iOS, BlackBerry, and newer Android versions (3.0 and above) allow users to enable device-level and file system encryption.
- File system encryption.
- App sandboxes. The operating system forces apps to ask the API for permission to access contacts, locations, and other information; the apps do not communicate directly, so data within each app is protected.
Mobile forensic password extraction or bypass exists for many of the most popular devices, but not for every device—including iPhone 4s and iPhone 5.
Decryption, too, is hit or miss. On BlackBerry devices, where different encryption exists for the different operating system versions, it is possible to decrypt the data if you know the password in OS 4-6. However, disabling the encryption only does so for future data. Data encrypted prior to disablement remains encrypted.
Jailbroken and rooted devices
At times, users jailbreak their iOS devices or root their Androids to access the underlying kernel—the controller between software and hardware—which removes security features designed to restrict app download only to signed certificates.
As a result, jailbreaking or rooting make a device more susceptible to malware from web browsers, non-App Store or Google Play apps, and malicious QR (scannable “quick response”) codes. Malware that would not otherwise have been able to run, can run.
Rooting and jailbreaking also remove the “sandboxing” that maintains barriers between apps. In a jailbroken or rooted device, all apps have access to all data—making it easy for embedded malware to siphon data. This may have direct relevance to identity theft and cyber harassment types of cases. The good news: the victim of domestic violence or credit card fraud is likely to provide you with consent to perform a full forensic examination of their device.
Encrypted data wiping
There’s a reason why isolating a mobile device from the network is considered a best practice for seizure: data wiping isn’t the same as deleted data—once data is wiped, it’s gone. On iPhone 3GS and above, there is no known way to decrypt and recover wiped data; wiping deletes the keys to the AES 256 decryption.
Four different methods wipe a BlackBerry: Desktop Manager, remote wipe through the BlackBerry Enterprise Server, entering the wrong password 10 times, and via the phone’s menu. iOS devices can also be set to wipe data if a password is incorrectly entered, or remote-wiped via iCloud. Android remote-wiping takes place via Google Sync; for Windows, it’s Find My Phone. Data Wiping is also available on Android, iOS and Windows devices, not only on Blackberry… (through settings menu)
Make sure first responders know to isolate a mobile device by putting it in Airplane Mode or in a Faraday container (and seizing its charger, too). You won’t always be able to crack encryption, but make sure the processes are in place to at least give yourself the chance.
Special cases: down-market prepaid “burner” and counterfeit devices
Android is the predominant operating system for prepaid smartphones, and fortunately, its open source nature makes it easier for mobile forensics vendors to support. However, “feature” phones’ use of the Java-based BREW platform complicates forensic extractions. Vendors disable their data ports, and don’t make their APIs available so that commercial forensic extraction tools’ can perform logical and file system extractions.
There are two ways to potentially get around the data port lock. First is to attempt to perform a physical extraction by selecting the postpaid device profile. However, the firmware differs from a prepaid to a postpaid device, and so this may or may not work—depending on the forensic tool’s ability to reconstruct the file system and/or parse the data.
Law enforcement may also attempt to obtain the MSL (Master Subsidiary Lock) code from the prepaid carrier, which unlocks the data port. Once unlocked, a logical or file system extraction can be run under the postpaid device profile, if it exists. However, it is subject to the same limitations as attempting physical extraction without the MSL code.
Counterfeit mobile devices, made mainly in China but also in India and elsewhere, have begun to challenge law enforcers in Asia, the Middle East and Europe, and to a limited extent on the US West Coast. These devices pose an investigative challenge because they are structured differently from legitimate branded mobile devices. This makes them communicate differently (or not at all) with most commercial mobile forensics tools. Look for tools that can automatically recognize the “pin-out” connector to perform file system and/or physical extraction and decoding.
The cloud
Some mobile devices back up or upload data to cloud services to save memory, meaning that some emails, images and other data are stored online—not necessarily on the device. In other words, many devices archive emails older than a certain point in time (say, one month) in the cloud.
This is different from the call detail records (and, occasionally, other limited data like contacts and text messages) which carriers store. Cloud storage backs up file system data from operating system: iPhone data to Apple’s iCloud, Android data to Google, BlackBerry to the BlackBerry Enterprise Server. In addition, some third-party apps—think Dropbox, Lookout, Evernote and others—enable cloud storage of files, notes, and images.
Data stored on the phone can help to support the paper you serve on carriers and cloud services, and corroborative data on both phone and cloud can strengthen your case—just as it can when data is backed up to PC, available to computer forensics. However, the reverse is the need to serve paper if you think data may be on the cloud instead of on the device.
Mobile device investigation is challenging and, at times, frustrating, but continues to become more and more necessary as general usage climbs. Understand the challenges, and you won’t be caught unawares during that high-profile case or emergency situation.
