I Finished My Thesis Defense — A Journey to Mobile Forensic

Thomas Shelby and May Carleton

If there is an award for making things complicated, I’d probably be the winner. The ultimate rule to graduate from uni is to do research that most likely you’ll be compatible with. Sure, I knew the theory, but I don't know why — and in every aspect, I always ended up doing the complete opposite *duh.

Instead of doing research in the field of mobile forensics and choosing to do what I thought I was capable of doing, I improvised — a lot. I try to implement a model and it’s a kind of mixture of semantic web and mobile forensics. You know, I spent my holiday crying because I felt so dumb that I was incapable of understanding the idea that I wanted to bring. Guess what? Through hardship, patience, determination, and revelation from God who sent me a humble yet very chill supervisor who always encouraged me to finish my work, I finally did it.

You know what, sometimes it’s not the situation that going to kill you, but panic will. I was worried that I couldn’t do my thesis, but after I did it, I was more worried that my work was too simple to be presented for my thesis defense (it’s not that simple af girl you are joking writing this). Guess I just spent my time overthinking things and got panicked when everything is actually negotiable and under control hahaha my bad. I’ll talk about my thesis later, now I want to show you how to do basic mobile forensics most people do in digital forensics investigation. I think you’re going to like it even though I thought it boring by now.

Prerequisites

Let me inform you that we need some equipment and tools to do this process.

1. Mobile Phone

Get yourself a phone, it’s up to you whether you want to use an iPhone, smartphone, or that indestructible N*kia 3310 *LOL. I bought an Android specifically for my thesis but since there are some problems on my campus, by the time I wrote this article, our phones were still seized by authorities. I know shit happens and c’est la vie but never mind, I’ll use a virtual phone emulated by GenyMotion App for this tutorial, so I’m sorry if you cannot relate.

2. Platform Tools

Okay, now you need to download the tool at this address, I’ll inform you later what the function is. Download based on the operating system that you used, Mac, Linux or maybe Windows? https://developer.android.com/tools/releases/platform-tools

3. Autopsy

Same with the Platform Tools, choose what suits best with your operating system, and I’ll tell you about the function later. Here https://www.autopsy.com/download/

4. Busybox

I need to inform you that I’m going to use the Physical Acquisition method for the acquisition process, so it requires us to root the phone (don’t do this if you don’t want to lose your phone’s warranty and make it vulnerable to security issues). Well, for the rooting process, we’ll definitely need Busybox. Mine uses Busybox Pro, but you can download the tool via PlayStore.

5. Ncat and USB cable

Cause we’re going to do the mobile forensic process on our laptop, or should we call it a forensic workstation, we still need to connect them to our phone. For this case, a USB cable is particularly not needed to connect the phone to our laptop since I use a virtual phone, but the Ncat tool is a must since it helps us to build a connection between the two devices. Here downloads the tool at this address https://nmap.org/ncat/

The Steps

Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Digital forensics investigation is kind of a tricky process to do because any mistake we make during the process could make the digital evidence presented to the court invalid. So doing this process requires discipline. The standard usually used for mobile forensics is NIST SP 800–101 Revision 1. That standard divided the forensics process into four phases, they are preservation, acquisition, examination and analysis, and the last reporting of digital evidence.

Preservation

NIST SP-800–101 Rev 1 stated that evidence preservation is the process of securely maintaining custody of property without altering or changing the contents of data that reside on devices and removable media. Preservation involves searching, recognizing, documenting, and collecting electronic-based evidence. When we use the actual mobile phone, the process consists of documenting the condition of the devices, like taking a photo of the evidence, front, behind, and also the battery capacity.

Also, the steps that need to be done are enabling airplane mode and then turning off the cellular data and Wi-Fi. We need to do that to make sure that there is no signal exchange in our device that may modify the current state of the data stored on the mobile device. Most of the time Faraday bag is used in isolation to shield the evidence from external signals. Also, we need to disable the GPS to maintain the integrity of location-related evidence. If GPS is active, it may continue to collect and update location information, potentially altering the data relevant to the time of the incident under investigation. By turning it off, you freeze the GPS data at a specific point in time.

Acquisition

After doing the preservation step, be ready for the acquisition process. Acquisition is needed since you cannot directly be involved with the evidence, this method helps to maintain a digital chain of custody, which is essential for ensuring that the evidence is admissible in court. It demonstrates that the evidence hasn’t been tampered with or altered during the investigation process. So, in short, you need to duplicate, copy or image the evidence in this step.

As I mentioned before, I’ll do the physical acquisition. Physical acquisition itself refers to the process of directly accessing and copying data from a mobile device's physical storage, this method involves creating a bit-by-bit copy or image of the device’s storage, including both user data and system files, at a low-level, binary level, etc.

Previously I asked you to download Busybox, now time to install it on your phone. Busybox has utilities called ‘dd’ (used for low-level copying of data) that will help us in creating disk images for forensic analysis.

Below, on the left side, you see that I haven’t installed Busybox on the phone. I just keep the setting into default then click the Install button and let the app do its work. Now move to your phone or in my case the virtual phone. Before you can do the physical acquisition, you need to do some settings on your phone to make sure that the device is granted access to debugging interfaces. Find the “About phone” part on your phone then search for the Build number, click that around 7–8 times until it states that the developer mode has been enabled.

,

Great, if the developer options have been activated you can go to Settings and click that part. Look at the right picture, in the Developer options go find Debugging options then mark the USB debugging part to allow USB debugging.

We’ve done it here, it’s not a rooting process, it’s just a basic setting to help the device connect with the forensic workstation. You can do physical acquisition without rooting the phone if the phone that you used is a virtual phone, like mine. When it comes to actual phones, believe me, mate the process is kind of complicated. I failed like 5 times only to do the rooting things, tired but this gal has goals.

Now it’s the game changer, remember I asked you to download the platform tools, eh? Now open it via Command Prompt and run the adb.exe using this command below.

adb.exe devices

Below on the right side is the virtual phone opened by the Genymotion app. The command above is used to check whether the device is connected to the forensic workstation or not. You see on the left side below that the IP address I got from my virtual phone already appears, meaning the device is already connected to my laptop.

The platform tools I mentioned before contain the adb.exe that we previously ran to our terminal, but also the Genymotion app. It provides the adb.exe to let the virtual phone communicate with the laptop.

Now we’ll start to do imaging. First, allow the superuser access to the phone so that we can be root. Then open the adb.exe shell in Genymotion via the command prompt. Search the file “tools” first in Genymotion, you can track that through the path on my computer. Mine is C:\Program Files\Genymobile\Genymotion\tools . When you finish, you can run the command below to display the partition information of the phone. The part in the red square is the internal storage that we’re going to image, it’s around 5 GB.

cat /proc/partitions

Now open both terminals, the adb shell from platform tools and also from the Genymotions, but before that make sure you already installed the Ncat tools on the laptop. Okay, keep in mind that to make it easy for you, from now on I’ll place the adb shell from the Platform Tools on the left side and the adb shell from Genymotions is on the right side.

Before we can do the imaging or extract data from a mobile phone to our forensic workstation, we have to make the two devices listen to each other, just like what they’ve said mate — communication is key. Port forwarding can facilitate this communication and make the extraction possible, so please hit the command below.

adb forward tcp:8888 tcp:8888

When the connection is successful, it will reply back with “8888” which is the number of ports that we choose to route traffic. Now move to the right side, the command dd will help us to read data from the /dev/block/sdb device file (from the phone) and then send that data over the network to another device listening on port 8888 (the laptop) using ncor Ncat.

dd if=/dev/block/sdb | busybox nc -l -p 8888

Back to the left side, hit the command below to capture data from the network connection and save the output to a file for further analysis or processing. The output literally will be an imaging file with the .dd format and for this file, I give it a name callitatest.dd.

ncat.exe 127.0.0.1 8888 > youcannameitasyoudesired.dd

The output will be saved in the same directory where you place the platform-tools. Wait patiently as you watch the sign mark in the red square keep blinking. The imaging process will take time depending on the storage capacity of your phone, it gradually increases from KB to GB as you see in the right picture.

Well, well, well, see the left picture the process is done and as you can see the .dd file size is definitely around 5 GB just like I mentioned the virtual phone storage capacity from the beginning. Also, when the process is done, you’ll see the notification in the Genymobile’s CMD just like in the right picture.

Examination and Analysis

The examination process uncovers digital evidence, including that which may be hidden or obscured. The results are gained through applying established scientifically based methods and should describe the content and state of the data fully, including the source and the potential significance. Data reduction, separating relevant from irrelevant information, occurs once the data is exposed.

The analysis process differs from the examination in that it looks at the results of the examination for its direct significance and probative value to the case. Examination is a technical process that is the province of a forensic specialist. However, analysis may be done by roles other than a specialist, such as the investigator or the forensic examiner.

We’ll use Autopsy to do the examination and analysis. Yeah, all your sins will be revealed here. First, open the Autopsy and make a New Case.

Give the case a name, like mine is Case1. After you finish just click the Next part.

Just keep clicking Next until you find this part. In this part, you need to browse the .dd file that we acquired in the acquisition phase before. After done, just keep clicking Next.

We need to configure the Ingest module here, please click Select All. The Ingest module is used to bring data from various sources into the Autopsy case management system. It helps with data acquisition, verification, and indexing, and allows for easy management and analysis of digital evidence within a case. It’s a critical component for forensic investigations, ensuring data integrity and efficiency in the analysis process.

Keep clicking Next until the display looks like the picture below. Before you can do the examination and analysis, you’ll need to wait for the configuration until 100%.

When it’s already 100%, you can start doing the examination and analysis now. The process involves examining specific artefacts such as chat messages, call logs, GPS data, and other information relevant to your investigation. Also export any relevant data, and findings, or validate the analysis results by confirming that the findings are consistent with your expectations and that your analysis was conducted accurately.

Reporting

Reporting involves creating a comprehensive overview of the investigation process, including the actions taken and findings. Effective reporting relies on thorough documentation of activities, observations, test results, and data interpretations. A well-crafted report is built upon robust records, notes, images, and data generated by tools. I’m not going to put the reports here because it will be too long, so don’t mind checking the NIST SP 800–101 Revision 1 document for the format and standard.

Conclusion

Whoever is struggling with the thesis, I feel you. With love…

Reference

[1] Ayers, R., Brothers, S., & Jansen, W. Guidelines on Mobile Device Forensics. Retrieved October 25, 2023, from https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-101r1.pdf