Homework Help Question & Answers

Complete the following table by comparing the mobile forensics techniques of all 4 major mobile p...

Windows Phone BlackBerry Android ios Logical acquisition & Analysis (including both backup based & agent based) Physical acqu

Complete the following table by comparing the mobile forensics techniques of all 4 major mobile platforms, such as methods, conditions/assumptions, limitations, type of data, tools, etc.

Windows Phone BlackBerry Android ios Logical acquisition & Analysis (including both backup based & agent based) Physical acquisition & Analysis (Including both software and JTAG) Acquisition through Cloud
0 0
Next > < Previous
ReportAnswer #1
Android ios Windows Phone BlackBerry

Logical Acquisition & Analysis

(Including both back-up based & agent based)

Android Operating System is built on the Linux Kernel and scripts to extract data from Android Mobile Device with the use of Android Debugging Bridge have been written. The approach is more focused on the logical acquisition of data from devices rather than acquisition using physical methods.Logical acquisitions of cell phones are performed using cell phone forensic software. A logical acquisition typically only recovers data on a cell phone that is not deleted. Depending on the phone and the forensic tools used, some or all of the data might be able to be acquired. For instance, where only some of the data can be acquired, this means that the text messages, contact list, and call history might be acquirable using the cell phone forensics .

  • The application programming interface of an equipment manufacturer is depended on in this process.
  • The phone’s contents get synchronized with a personal computer through such original interface.
  • This method has a plenty of free software tools available.
  • Neither deleted data or unallocated space gets recovered through such method which fundamentally extracts these data accessible

When it comes to iOS forensics it is an important issue to understand and distinguish between the diverse operating modes that an iOS device are working.

There are in fact three modes that are available for an iOS device to be working on. These include Normal Mode, Recovery Mode, and DFU Mode. An examiner shall be aware of such modes to turn a device into it while performing forensics on it. This aspect will help with achieving an efficient extraction of data.

Normal mode is the one which runs by default. If ordinary user powers on his iPhone, then it should boot an operating system. That is actually what is referred to as the normal mode. Through this way, a user can perform all activities which they desire from an iPhone. Similarly, they can utilize all its functionalities regularly.

Recovery mode is generated due to an occurrence of failure or something wrong. To elaborate, imagine switching on the iOS device in the normal mode, but an error is encountered. Remember, Low-Level Bootloader, iBook and iOS kernel have all to get loaded for the operating system to run correctly. Nevertheless, doing such a thing all the time successfully is not guaranteed for sure. There is a possibility that loading or verifying such jobs could go to waste and fail.

DFU mode essentially means the Device Firmware Upgrade mode. It is intended to be responsible for performing IOS upgrading. This mode is perceived as a low-level mode for diagnosis. It is worth noting that during a bootup, if Boot ROM is not getting a load or verification of the needed process to boot in a normal mode, then iPhone presents the Black screen.

Logical Acquisitionany of any device means the extraction of highest level contents of the file system. ... It means that the users do not have access to the system files or the files associated with the apps they have installed. This happens due to the specific design of Windows Operating System architecture.

Windows Phone 8.x is one of the most challenging smartphone operating systems in a forensics context. Common acquisition methods are not fully supported and only a few available forensic tools can perform partial logical acquisitions from Windows Phone devices.

Most of the commercial tools offer only very limited data acquisition or only over-the-air (cloud) acquisition. As most forensic examiners rely on forensic tools, facing a Windows Phone 8.x device remains a relatively big deal, especially when some tools list some devices as supported even if that's not the case.

Many devices (Apple iOS, BlackBerry, and a limited number of Android models, for example, Sony Xperia) are able to produce offline backups via the software installed on the user's computer. Apple iTunes, BlackBerry Link, Sony PC Companion, and many other tools can be used to produce and restore phone or tablet backups. Depending on the OS, an offline backup may or may not be password-protected. Depending on the protection status, experts may be able to extract all, some, or none of the information.

Offline backups, if available for a particular platform, tend to have as much or more information available compared to cloud backups.

Physical acquisition & Analysis

(Including both software & JTAG)

  • A bit-by-bit copy of the whole file system is created.
  • This seems so similar to physical acquisition process on standard digital forensics
  • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.

Acquiring a bit by bit image of a system is always the best case in favor of someone performing forensics on a system. That is what is meant initially by the physical acquisition of IOS data. The next step of the procedure is to check that both the copy and the original data are precisely the same with no slight change.

While this technique can be performed soundly and correctly on computers like laptops and desktops, it cannot be done merely however on mobile devices like iPhone devices. New methods to get physical acquisition smoothly and correctly have been researched nowadays to make the material acquisition on iOS devices. That aspect is attributed to the fact that physical acquisition is the best for a significant acquisition.

What makes the process on iOS device hard? The reason for this is that the storage of iOS devices is embedded in the very first place. Why can this be our concern? That leads to several challenges encountered by an examiner. To illustrate, the drive cannot be removed, and hence it cannot be connected directly to the utilized workstation.

In addition to that, techniques differ according to the platform itself or the version of the iOS inside the device. For instance, a working method to acquire data on iPhone 7 does not necessarily guarantee that it will work for iPhone 5 as well. Also, iOS 9 version can be having security methods that are entirely different from iOS 10 versions. Such changes in security methods prevent an examiner the privilege to access data with the same process on all iOS devices. That drives the motive for researchers to always keep on researching new techniques to perform physical acquisition on iOS devices.

There are some tools developed by organizations, which have to do with the Law Enforcement (LE) space. Such devices could be dedicated actually to LE like the method developed by Zdziarskfor obtaining an iOS acquisition. It depends on the following methodology. The disk software of the Read Only Memory (RAM) is being replaced by another version. Such new version should be capable of running a live recovery agent to get the disk image extracted.

On the other hand, there are some other tools which are not specified for LE. Such tools could be exemplified by Lantern and iXAM. These products are in fact able to modify the RAM as well to execute a recovery agent. This recovery agent could manage to run on the volume of the operating system to perform a physical image.

Apparently, Microsoft did a great job protecting Windows Phone devices. Indeed, Microsoft has full control over the platform (Qualcomm) that is used by the different manufacturers of Windows Phone devices, so unlike Android there can be no sub-standard implementations here. As a result, all Windows Phone devices are roughly equivalent in terms of security. Until very recently, JTAG and chipoff acquisitions were the only methods to acquire most Windows Phones. However, in January 2015, Cellebrite implemented an acquisition module enabling investigators to perform physical acquisition of a lot of Lumia devices. The technology is still at an early stage. There's still a lot to do in parsing the contents. However, the filesystem is NTFS, and the OS is very similar to Windows, so eventually, this will be done.

Since then, yet another development emerged. Windows Phone Internals(http://www.wpinternals.net/) developed a bootloader unlock method for Lumia 520.

BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.

Acquisition through cloud

Smart phones are powerful minicomputers characterized by high performance, large memory capacity and enhanced applications that enable various ways of communication. They are widely used for other purposes besides making phone calls, for instance browsing the internet, reading and responding to emails, road navigation, editing documents, video conferencing, playing music, taking videos and photo, to mention but a few. The problem at hand is that forensic investigators often encounter difficulty in identifying service providers, accounts credentials like username and passwords and cloud data remnants. This can be provided by the seizure and analysis of data contained in smart phones such as Android devices. There is an emerging trend where criminals use cloud computing to propagate and perform acts of crime like child pornography, which puts into perspective the importance of the study in acquisition of sound forensic tools and techniques that will ensure evidence is admissible before a court of law. The project was intended at expounding on the following research questions. Firstly, what were the cloud data remnants on a smart phone and where are they located in current Android versions? Secondly, how can these cloud data remnants be forensically acquired from a smart phone? The third question looks into the forensic implication of accessing and downloading cloud data from Google Drive™, Dropbox™ and One Drive® on a Smart phone. The project explored ways of collecting data from cloud storage accounts with the help of browsers and client software, the use of forensics software thereafter performing a comparison with the original evidence files with the use of a digital forensics framework. The key findings from the acquisition included log files, the downloaded files and memory captures of some files resident on the clients. In conclusion, the experiments established that no modifications were made during the process. Notable though was the change of timestamps which should be considered in the assumptions of creation, modification and access times associated with files downloaded via client software. v Recommendations are that the relevant organs in Kenya should gazette laws for the utilization of digital forensics tools for the admissibility of evidence in court of laws. The current evidence act (Republic of Kenya, 2014) does not clearly define the method of acquiring digital evidence or the open source and licensed tools to be utilized, though it explicitly states that electronic records are admissible court. Future studies can incorporate use of licensed forensics software to retrieve evidential data from new Android versions like Marshmallow. The national government should also initiate activities for the drafting of national mobile forensic guidelines to govern the acquisition of data remnants with the use of approved software.

Every time an iPhone user syncs their device with a PC (Windows or macOS X), iTunes creates a local copy of all user data stored in the device (unless the user opts for cloud backups, which will be covered in the next chapter). While it is arguable whether automated backups with no user intervention are a good thing or a bad thing, unless a cloudoption is selected, users end up having backup copies of their device contents on every computer they sync with.

As a result, the chance of encountering a local copy of an iPhone on the user's PC is not insignificant.

Apple offers its users the choice of three different backup methods, allowing to be created, plain and password-protected local backups via iTunes, or making over-the-air iCloud backups.


•Keychain encrypted with securityd (*)

•Amount of data Limited (for example, no IMEI and other hardware-specific data)

•Type of recovery-Must know Apple ID/password, or must have non-expired authentication token

The continued amalgamation of cloud technologies into all aspects of our daily lives and the technologies we use creates business opportunities, security and privacy risks, and investigative challenges. This study examines the extent to which data acquisition fromWindows phone, a common cloud-of-thing device, is supported by three popular mobile forensics tools. The effect of device settings modification (i.e. enabling screen lock and device reset operations) and alternative acquisition processes (i.e. individual and combined acquisition) on the extraction results are also examined. Our results show that current mobile forensic tool support for Windows Phone 8 remains limited. The results also showed that logical acquisition support was more complete in comparison to physical acquisition support. In one example, the tool was able to complete a physical acquisition of a Nokia Lumia 625, but its deleted contacts and SMSs could not be recovered/extracted. In addition we found that separate acquisition is needed for device removable media to maximize acquisition results, particularly when trying to recover deleted data. Furthermore, enabling flight-mode and disabling location services are highly recommended to eliminate the potential for data alteration during the acquisition process. These results should provide practitioners with an overview of the current capability of mobile forensic tools and the challenges in successfully extracting evidence from the Windows phone platform.
BlackBerry maker Research In Motion (RIM) is turning its eyes to the cloud in 2011, and plans to launch a revamped BlackBerry Enterprise Server (BES) architecture that enables management from the cloud.adding that RIM is also adding significant scaling improvements to enable BES in the cloud.

The cloud-based BES will also feature deployment options that can support both cloud and on-premise e-mail and applications, and an open messaging interface lets new BES variants be created by third-party partners.

As part of its cloud strategy, the smartphone maker is also planning to launch Cloud-based Mobile Device Management for BlackBerry, an opt-in service for SMBs and small groups that will let users and admins manage BlackBerry smartphones via the cloud through a Web-based console.

Add Homework Help Answer
Add Answer of:
Complete the following table by comparing the mobile forensics techniques of all 4 major mobile p...
Your Answer: Your Name: What's your source?
Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
More Homework Help Questions Additional questions in this topic.
Need Online Homework Help?
Ask a Question
Get FREE Expert Answers
Related Questions