Sunday, January 04, 2009

Mobile Forensics Discussion Forum

Mobile Forensics Discussion Forum
.
I have linked up with Jamie Morris of ForensicFocus (www.forensicfocus.com) to run a Mobile Forensics Discussion Forum. It is high time the profession had such a forum that doesn't require limiting people to join a forum whilst being excluded from other parts of a forum.
.
Currently Jamie posed a question in the new forum:
.
"Forensic analysis of mobile phone internal memory"
-----------------------------------------------------
"I'm interested in how current practice in mobile phone forensic memory analysis reflects or differs from the paradigm and procedure(s) discussed in Svein Y. Willassen's paper here (PDF). All thoughts and comments welcome! Jamie"
.
I have posted my reply, albeit rather long, which is below. If you want to join the discussion it is going on at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3335 right now, so join in.
.
Greg Smith reply to Jamie Morris
There are some interesting reports that have been written regarding recovery of deleted data from mobile telephone flash memory chips and they all make a useful contribution in this field of examination.
.
I do have my suspicions about the way in which deleted data recovery from mobile telephones is being conducted and the need to be conducting such a process on anything that looks like a mobile telephone.
.
Jamie, as you started the discussion about methodology then I'll add my 2p worth.
.
Extracting and harvesting physical data as opposed to logical data needs to be balanced between methodology vis-a-vis forensic standards and evidential admissibility. Different countries have different requirements, rules and laws when it comes to deleted data. In the UK there are many issues surrounding 'interference with goods', single and both party 'consent', 'collateral intrusion', damage etc etc.
.
As there are numerous articles that have been written in examination terms about the methods to recover deleted data, forensics and evidence equally demands to learn of the problems with using certain methods to comprehend whether these methods should be used in the first place and how reliable they are? For instance, rarely do reports record what faults they found in the methodology, the problems occurred, the time the method takes etc etc.Looking at problems associated with damage and damage avoidance when discuss methodology:
.
SIM Cards
Can we learn anything from damage SIM Cards? Let's take the issue of acid etching used on an ICC card to get at the microprocessor inside (eg method used due to the contact legs having been broken; normal boot up of the ICC isn't possible) in order to read the SIM. This process is not quick and certainly is not suited to production run (bang it on bang it out, style of thinking). The microprocessor may be exposed to ESD, poor handling or something else. If this happens the examiner may not get any data but also it prevents anyone else being able to examine the SIM independently.
.
Handset Flash Chips
Issues of damage can arise when dealing with removing and replacing flash memory chips on mobile telephone circuit boards. De-soldering and re-balling are not easy, no matter how a report presents the subject as easy. It is a skilled artform that takes time and patience to acquire the routine to perfect re-balling, for example. What happens when the examiner breaks a flash chip contact pin when physically lifting the chip off the board because de-soldering wasn't performed correctly? Alternatively, poor re-balling technique can lead to dry-joints or a loose contact pin in the grid-array that might cause intermittent faults.
.
Whilst talking about flash memory chip removal, ask the question why is it necessary to remove the chip in the first place? Are the deleted data really necessary? Many of you may be familiar with the term JTAG points on a mobile phone. Many of you may be aware that using the JTAG points may alter data in RAM and at the Flash Translation Layer (FTL) where some implement automated data-maintenance operations, such as wear-leveling etc, that can be activated. Thus removing the chip is meant to assist avoid that happening. Okay, so now the chip has been removed (and leaving aside the issues of actually interrogating the chip, imaging and harvesting data) the chip needs to be re-balled (replaced) at the end of the examination. How do you know that the mobile phone will work properly again having replaced the chip? Switching ON the mobile telephone to check if it works? Hang on, that cannot be right? The chip was removed in the first place to avoid altering data etc. By the same token, a mobile telephone cannot be handed back to its owner in a disassembled or damaged state because not every suspect is sent to court or found guilty.
.
Apart from the above issues, is the technique of recovery of deleted data absolutely necessary for every case and how might that be handled?
.
Is there a mass market for deleted data as evidence?
Many years ago I worked in the type approvals of telecommunication equipment marketplace, whilst my fledging career into forensics and evidence was still beginning. As a type approvals consultant, I visited with my clients factories in the UK and the Far East and learned a tremendous amount about equipment production and repairing of devices. De-soldering and re-balling I learned use resources that are time-greedy and specialist equipment handling surface-mounted technology was needed where large quantities of device components needed to be removed and replaced on the board. It also required removing the PCBs out of their casings (screws etc) and disconnection of leads from LEDs/LCDs etc, which required a human workforce.
.
To run the same operation for seized mobile telephones as evidence would be difficult, time consuming and costly. Outsourcing the work overseas to get cheap human labour could be fraught with problems. Not least of which it could be tantamount to allowing evidence to leave a country, potentially to a country not governed by the laws etc of the country where the evidence had been seized, only to find loss of jurisdiction and/or no way of tracing how the evidence has been handled or what treatment it has received whilst overseas.Outsourcing overseas has other problems, as well, as it can to lead to job losses and not job creation in the country where the evidence was seized and costs paid to outsourcers overseas impacts by not benefiting the home economy overall, due to finances flowing away from the country and not circulating in it. Another side impact is brain-drain of knowledge, because home-grown talent would obviously find less work and move elsewhere or go and learn new skills and drop the old skill. Also countries that outsourced tended to find they are held to ransom down the line as no knowledge and skill remained in the home country.
.
The above is obviously a macro view applied to a micro practise limited to recovering deleted data from evidence by removing flash memory chips. Macro methodology for removing chips and harvesting deleted data wouldn't appear to be sustainable because only a small amount of work is undertaken that relates to deleted data evidence, apart from the issue that a safe forensic method for deleted data recovery acquired on a production line assembly might be hard to achieve. From a UK perspective there should be really no need for every case to have every handset's flash chip removed to recover deleted data or the need for outsourcing overseas or deleted data recovery production line assemblies.
.
Observations
Quite often when examination and methodology are discussed the above issues are rarely included in those discussions. That may be because it may be some do not see them as important, a work-around has already been achieved, the issues are not known or some may not see them as relevant at all. I do see the above issues as relevant and needing to be aired and discussed, as they highlight that associated with extracting and harvesting deleted data there are numerous pitfalls that can occur and proportionality in using this recovery method and the use of deleted data anyway hasn't been fully justified.
.
On another occasion it would be useful also to discuss the value of deleted data and its accuracy and relevance.

No comments: