Sunday, October 14, 2012

To Clone or NOT to Clone?

To Clone or NOT to Clone?

The purpose of this article is to reiterate the issues surrounding the best practice model of the forensic examination/data harvesting of mobile telephones and the isolation of radio signals. It’s not the intention of the author to critique any persons/methods or vendors of products/services but merely to highlight the issues which are still apparent today considering such methods have been adopted for well over ten years in the field of mobile phone forensics and which in the opinion of the author are yet to be addressed to a satisfactory level.

Best practice advocates the need to isolate the target device from any communication signal in order to prevent changes in existing live/deleted recoverable data. Bearing this in mind the most common practice is to utilise U/SIM cloning tools and to replicate a working copy of the target U/SIM or in some cases creating a working U/SIM for those target devices where the original U/SIM is not available. The majority or most commonly adopted tools/applications for such a method will only permit the examiner to copy the minimal data required to allow successful boot which are the ICCID and IMSI in the main with the addition of other parameters such as the MNC. Although it may be regarded as best practice in the main it’s not without issue. From experience and review/re-examination of cold and live cases the same problems are encountered yet not addressed to a satisfactory level.

There are several vendors of such products and in the main they are adequate to a degree however some vendors of such products do not appear to continue with the product development cycle of such functions as one would expect. We see improvements and development with the core functions of mobile phone forensic applications and that is most welcomed however the basic fundamental process in this case cloning of the target U/SIM are left behind. Thus how is it possible to continue or improve upon a best practice model if the basic fundamental requirements are not addressed?

Examples where failings have been noted are listed below:

1. Misrepresentation of acquired/harvested data:
Quite often through examination it has been noted certain data types are not translated or presented in the correct format. For example contact names may be missing as they are contained within the ADN of the U/SIM card and due to the cloning system have not been transferred through which in turn is replicated to other data sets such as SMS and call list.

2. Inaccessible data
Situations have been encountered where data is not available via the GUI of the target device thus the possibility of missing or non-examination of data exists. An example of this was encountered whilst examining a BlackBerry Bold device where the BBM application was not available without the use of the original target U/SIM, the reason being that the application or some functions were tied to the SIM Application Toolkit.

The above examples are just the tip of the iceberg and in the opinion of the author there are certainly more issues encountered in the use of U/SIM cloning systems when examining mobile telephones and/or devices which utilise the use of U/SIM cards.

So how can we overcome such issues and improve upon the best practice model? One solution is total radio isolation and the use of the original target U/SIM i.e. faraday enclosures/rooms. Unfortunately this option is not a satisfactory way forward due to cost, health & safety issues, practicality and when dealing with volume work.

For a more practical and sustainable solution the author would suggest that the vendors of such products/services review their product development cycle, obtain and work with the necessary feedback from seasoned practitioners with a view to providing far more robust products/services which at best eliminate U/SIM cloning issues or which offers the examiner more flexibility as to the cloning parameters required or at least work towards providing bulletins of known issues and possible solutions for identified issues.

Author: Vinny Parmar
Digital Forensic Practitioner
Accredited MTEB Mobile Phone Trainer

No comments: