SPECIAL REPORT
Innovations in Forensic Technology for Mobile Device Examination
Innovations in Forensic Technology for Mobile Device Examination The Battle to Access the Phone in Your Pocket Privacy Versus Societal Protection and Digital Forensic Investigation A Sound Forensic Investigative Process The Global Market for Digital Forensics Rises The Future of Digital Forensic Technology Sponsored by
Published by Global Business Media
Mobile Forensics
When you want to stay ahead
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
SPECIAL REPORT
Innovations in Forensic Technology for Mobile Device Examination
Contents Foreword
2
Mary Dub, Editor
Innovations in Forensic Technology 3 for Mobile Device Examination Innovations in Forensic Technology for Mobile Device Examination
Micro Systemation AB
The Battle to Access the Phone in Your Pocket Privacy Versus Societal Protection and Digital Forensic Investigation A Sound Forensic Investigative Process The Global Market for Digital Forensics Rises The Future of Digital Forensic Technology Sponsored by
Published by Global Business Media
Published by Global Business Media Global Business Media Limited 62 The Street Ashtead Surrey KT21 1AT United Kingdom Switchboard: +44 (0)1737 850 939 Fax: +44 (0)1737 851 952 Email: info@globalbusinessmedia.org Website: www.globalbusinessmedia.org Publisher Kevin Bell Business Development Director Marie-Anne Brooks Editor Mary Dub Senior Project Manager Steve Banks Advertising Executives Michael McCarthy Abigail Coombes Production Manager Paul Davies For further information visit: www.globalbusinessmedia.org The opinions and views expressed in the editorial content in this publication are those of the authors alone and do not necessarily represent the views of any organisation with which they may be associated. Material in advertisements and promotional features may be considered to represent the views of the advertisers and promoters. The views and opinions expressed in this publication do not necessarily express the views of the Publishers or the Editor. While every care has been taken in the preparation of this publication, neither the Publishers nor the Editor are responsible for such opinions and views or for any inaccuracies in the articles. Š 2015. The entire contents of this publication are protected by copyright. Full details are available from the Publishers. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical photocopying, recording or otherwise, without the prior permission of the copyright owner.
Introduction Mobiles in the Military Context The Challenges Solutions Pinpoint XAMN Conclusion
The Battle to Access the Phone in Your Pocket
8
Mary Dub, Editor
Digital Forensic Evidence and Hybrid Warfare 21st Century Mobile Computing The Value of Evidence Drawn From Mobile Computing Devices The Right to Track Individuals and Gather Data
Privacy Versus Societal Protection 10 and Digital Forensic Investigation Mary Dub, Editor
Legal and Ethical Restraints on Forensic Investigation to Mobile Phones The United Kingdom’s Data Retention and Investigatory Powers (Drip) Law 2014 Edward Snowden and the Debate About the Abuse of Surveillance and Investigatory Powers of the Security Agencies Why the Protection of Privacy is Important
A Sound Forensic Investigative Process
12
Don McBarnet, Defence Technology Writer
Forensic Investigation Useful Criteria in Assessing Forensic Investigation Technologies
The Global Market for Digital Forensics Rises
13
Don McBarnet, Defence Technology Writer
Challenges to the Market British Police Market for Digital Forensic Technology
The Future of Digital Forensic Technology
14
Mary Dub, Editor
Cyber Security and Concealment The Risk of Remote Deletion The Prevention of Remote Deletion or Interference The Use of Mobile Phone Remotely Without Knowledge of the Owner Remote Listening
References 16
WWW.DEFENCEINDUSTRYREPORTS.COM | 1
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
Foreword T
HE MOBILE computing market, providing
intention, activity and location of conflict.
smartphones to millions of people throughout
While the growth of mobile computing has grown
the world, is a fast growing technology intensive
exponentially, so has government surveillance of
global market. Digital forensic investigation
that data and meta data, with the result that the
technology has developed in parallel to the growth
political and ethical debate about the privacy of the
of the mobile computing market, facilitating law
individual versus societal protection has become
enforcement, intelligence and security services to
more vociferous. This ethical debate matters to
access data stored on phones to use as evidence.
investigators because it puts down parameters for
The opening article in this Special Report looks at
their operation and demands a clear methodology
innovations in forensic technology for mobile device
for their investigations.
examination and, in particular, how data stored in such
Like the consumer market for mobile computers, the
devices can be extracted and reconstructed as an
global market for digital forensic devices is buoyant
intelligence gathering tool for defence operations.
and growing, reflecting the intention of governments
With good mobile coverage now available in large
and the security services to have the best available
areas of the globe, fighters are now carrying their
software and products at their disposal.
mobile phones into war. The recovery of a mobile
In the future, while the threat of domestic and
device from such parties can yield vital intelligence,
international terrorism remains at a moderately
which can be exploited to detect, disrupt and deter
high level, security services will continue to remain
the activities of both terrorists and traditional military
well funded in the West and the Middle East. But
opponents. However, because of the wide diversity
the challenge of providing admissible and accurate
of manufacturers, components and the way in which
evidence from the data obtained from the myriad
security protocols are enabled, recovering data from
of different mobile devices will continue to keep this
mobile devices can be a difficult task.
determined and rigorous industry in a growing and
The second article is an examination of how 21st
robust state.
century warfare, now called hybrid warfare, uses mobile computers in all their diversity to prevail on the modern battlefield. This new development heightens the importance of forensic digital investigation to reveal
Mary Dub Editor
Mary Dub has reported on international security in the United States, Europe, Africa and the Middle East as a television broadcaster and journalist and has a Masters degree in War Studies from King’s College, London.
2 | WWW.DEFENCEINDUSTRYREPORTS.COM
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
Innovations in Forensic Technology for Mobile Device Examination Micro Systemation AB
Introduction Mobile phones are an essential of modern day communication. They have become the world’s most popular and widespread form of personal technology. With 7.2 billion mobile connections globally, there are now more mobile devices in the world than there are people. (GSMA Intelligence) Mobile has had a profound impact on all aspects of life, and the mobile internet is bringing the next wave of growth and impact with the advent of the smartphone. Where mobiles take over, the defence industry must respond to their use and deployment in order to gather critical intelligence unavailable from other data sources. Whilst the advance of the mobile is generally a force for good, like many other tools it can be misused. Mobile technology leaves traces, like digital footprints, and these can reveal valuable enemy information. For those in the defence community, the data residing inside a mobile device from enemy combatants can be an essential source of intelligence. Whether it is the simple contact list in the mobile device, recent instant messaging exchanges via an app, the use of maps for navigation with built in GPS or even the pictures and video contained within the mobile device showing recent activity – the mobile is a goldmine of intelligence information. In the past decade digital evidence from mobile forensics in criminal court proceedings has aided in convicting dozens of murderers, thanks to data recovered from their mobile phones and those of their victims. In the intelligence community there is no doubt that hundreds of lives have been saved by the effective use of this technology, albeit such use by its very nature is hardly ever publicized. The goal of this editorial is to inform and address recent innovations to extract and reconstruct data stored in the memory of mobile devices and, in particular, the value as an intelligence gathering tool for defence operations There is a critical need to develop an understanding of this new world, so that defence agencies can respond effectively to
msab.com
THE MOBILE AS A TRIGGER MECHANISM FOR AN EXPLOSIVE DEVICE
terrorism and wider global security requirements in the most effective manner. Such activities require experienced professionals with the skills and ability to exploit data in the cyber security arena, alongside all other the skills required of military professionals.
Mobiles in the Military Context It is not hard to envisage how the bad guys can misuse technology for their own purposes. Mobile devices are used as a communication tool between terrorist groups, as a mechanism to record propaganda videos and even as the trigger mechanisms for IEDs. Armed with a mobile device, insurgents can film, edit, and upload their own attacks within minutes of staging them to maximize publicity for their cause. When enemy media labs have been captured, some of the material found there has been an invaluable source of intelligence. The propaganda videos are usually carefully edited WWW.DEFENCEINDUSTRYREPORTS.COM | 3
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
The mobile is
Common terms used to describe such activity are CELLEX (Cellular Exploitation), MEDEX (Media Exploitation) or DOMEX (Document & Media Exploitation). CELLEX according to the US Army is defined as “the exploitation of cell phone files such as phone and subscriber identity module (SIM) card models, phone records, short message service (SMS) messages, and pictures”. Whilst MEDEX is defined as “the extraction and exploitation of digital and analogue intelligence data using forensically sound techniques and equipment from captured material”.
a goldmine of intelligence information
ARMED WITH A GUN AND A MOBILE
and out-takes often provide clues as to where, when and by whom the video was taken, as well as offering an opportunity for hilarity when deleted scenes are recovered that show the mistakes made by the players in the video. EXAMPLE OF CELLEX SOLUTION
(YouTube War: Fighting In A World Of Cameras In Every Cell Phone And Photoshop On Every Computer) Meanwhile mobiles have also become the trigger mechanism of choice on bombs for many groups around the world who lack dedicated radio communications. The remotely operated roadside bomb triggered via a mobile phone has, without doubt, been one of the deadliest weapons in recent insurgent conflict scenarios in Iraq and Afghanistan. Even in conventional military scenarios, it is common today for regular soldiers to carry their cell phones into war. Large areas of the globe have good cellular phone coverage, and fighters are constantly checking their phones. As they enter an area with a strong mobile signal, they commence texting back and forth, speaking to loved ones and taking ‘selfies’ in the field. How many of those images have vital embedded geolocation data? (Selfie-addicted Russian soldier caught in Ukrainian territory by Instagram geo-tagging) The recovery then, of a mobile device from such parties usually leads to the recovery of vital intelligence which can be exploited to detect, disrupt and deter the activities of both terrorists and traditional military opponents. 4 | WWW.DEFENCEINDUSTRYREPORTS.COM
The Challenges There are many. It would be wonderful if it were easy, but the reality of mobile data recovery is that it is complex, variable and fraught with problems that make it challenging to compare the various solutions available to military commanders. To state the obvious, you can’t expect soldiers to carry a complete digital forensic laboratory wherever they go in enemy territory, so whatever the situation encountered, the tools need to be lightweight, portable, flexible and rugged for use in the field. Equally though, they need to be sufficient to deal with all the variable scenarios that are likely to be encountered. It depends… Unlike computers that share standard operating systems like Windows and MAC, there are literally thousands of unique operating systems embedded into mobile devices and many of them are unique to a particular handset. Even for modern smartphones sharing common platforms like Android, iOS and Windows Phone, the variability of manufacturers and components and the way in which security protocols are enabled, mean that very often the answer to a simple question like “Can you get data off this phone” is a rather frustrating “It depends…”
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
The types of devices commonly found in recent conflict zones in Iraq and Afghanistan tend to be cheaper feature phones and very often they are imitation copies of well-known brands made by small-scale back room manufacturers in Asia. This means, for example, that the Nokia Phone you think you just recovered from an insurgent base, may in fact be a NOKLIA China clone phone which works in a totally different way to the device you expected. These ‘Clone’ devices often have randomly wired data connection ports that are not documented anywhere. Such devices are frequently made in small batches and lack any standards by which others can reliably build tools to reverse engineer them. So the CELLEX solutions must be intuitive and clever enough to work out which comm ports are which during the process. Then there is the challenge of security locks and encryption mechanisms, which are designed to help the average user, but hinder defence agencies when the bad guy is the owner of the mobile device. These encryption mechanisms have proven to be the stumbling block for many in the world of mobile forensics and require an intelligent technology solution that has the capabilities to bypass or defeat these security mechanisms and evolve to new techniques. Then there is deleted data. Typically, whilst recovery of deleted data from a mobile device is possible, the procedures to achieve this are usually more complex, take longer and require greater post analysis to reconstruct – another factor to consider when selecting the correct solution. Finally, there are the Apps – just when you have conquered a particular mobile device, along come the smartphone apps which are in a process of constant evolution, developing even faster than the mobile handsets on which they sit. If the bad guy is using WhatsApp and his phone has automatically updated it to the latest version with a new encryption algorithm and your CELLEX solution was built and tested for a version released just 3 months ago, then suddenly, the data you expected to recover may not now happen. There is a constant and never ending battle to keep up to date with the latest devices, security and apps in the CELLEX industry and you need to be sure your supplier can be relied upon to keep you ahead.
Solutions Now you understand the potential challenges it makes it much easier to set about identifying a suitable solution that deals with all of these issues in the best possible way and this allows you to set a selection criteria by which to measure the performance of a tool.
The current solution of choice by many elite military forces around the world today is XRY. This tool is manufactured by MSAB (www.msab. com) and the latest iteration of XRY released in March 2015 supported in excess of 14,000 different mobile device profiles and smartphone apps to help in the recovery of live and deleted data, alongside bypassing many handset security protection mechanisms and tackling non-standard devices. Extract from three devices simultaneously XRY is a good example of an intelligent mobile forensic tool which gives operators quick and easy access to a mobile device and the data contents. Speed of data recovery is an essential requirement in this environment, the last thing you want to see on a computer screen is that an extraction process will take the next 6 hours, when there are bullets flying overhead. One of the unique features in XRY is the ability to recover data simultaneously from three different mobile devices all at the same time. With just one standard laptop if you have enough available USB ports, it is possible to recover the data from three different mobile phones all at once to speed up the recovery process. Designed with CELLEX in mind, XRY is able to extract data that can be relied upon for making intelligence assessments quickly and reliably. It is powered by a software based solution, which gives it the flexibility to be delivered in a number of different hardware form factors to suit different operational needs, from a traditional desktop computer, through to a laptop or even a small ruggedized handheld tablet if required, for more covert operations.
msab.com
PinPoint PinPoint is a complementary tool for XRY designed to specifically tackle the nonstandard mobile devices discussed earlier. In the majority of cases these mobiles tend to rely on Asian chipset manufacturers such as MTK, Spreadtrum, Infineon and Coolsand devices. PinPoint is a smart lightweight cable solution that can actually detect the correct pin outs on the communications port of a mobile device to make a connection for XRY to then recover the data. The kit includes an interface cable, power clips and replaceable tips which are used to establish that essential connection to the device. One of the powerful advantages of PinPoint is that the intelligence is in the software and not embedded in the hardware, which means that it has the dual benefits that it can be frequently updated to ensure you have the very latest available solutions in the field, whilst the actual hardware to be carried around is minimal. WWW.DEFENCEINDUSTRYREPORTS.COM | 5
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
PinPoint is a smart
PINPOINT FROM MSAB DESIGNED TO TACKLE NON-STANDARD MOBILE DEVICES
lightweight cable solution that can actually detect the correct pin outs on the communications port of a mobile device to make XAMN ANALYTICS SOFTWARE FROM MSAB
a connection for XRY to
• Frequent Updates – with new phones being released every day, any solution you consider must offer regular updates to ensure you can access the latest data and overcome the latest forms of security and encryption.
then recover the data
PINPOINT CABLE AND TIPS
XAMN Once you have the data, the next thing to do is make sense of it, because it’s never just about capturing the data. Without analysis in real time to ensure you understand what the data means, the advantage risks being lost. If you have just targeted an enemy base and recovered a group of mobile devices from suspected insurgents, then establishing who is talking to whom and who is giving the orders is vital. XAMN is yet another complementary tool in the armoury designed to do just that for CELLEX operatives. XAMN can give operators a rapid visual overview of the Links, Timelines, Geographic Locations & Conversations of up to 50 different mobile devices recovered by XRY and shows these connections visually in seconds, on the same computer running the XRY extraction tool.
Conclusion Our aim is educate the reader that there is vital intelligence material to be gathered from mobile phones and because the technology is changing all the time, it is important to stay abreast of these developments. When looking for a solution to assist your operations, we recommend that you consider the following factors:
6 | WWW.DEFENCEINDUSTRYREPORTS.COM
• Portability – there’s no point in having a great technical solution if it means carrying around a huge lab and a dozen black boxes to ensure you have all the tools required. Your solution needs to be compact and lightweight and flexible. • Speed – if you have a tool that takes many hours to extract data in the field then it is effectively risking lives. Seek a solution that has the fastest possible download times. A solution that can extract from multiple devices simultaneously will speed up your operations. • Scope – there are literally thousands of mobile devices in the world, so a solution that is just brilliant on an iPhone but nothing else, is a nonstarter. Similarly if the tool can’t get back any deleted data then you are probably missing essential intelligence. • Analysing – Knowing the links between the combatants is a vital advantage to military specialists in the field. If you have several devices to review then visualizing the links between each of these devices quickly can be a crucial aid to real time decision making. • Training – investing huge resources in the technology alone without considering the needs of the user is a common failing. Don’t forget the human factor, it’s as important to invest in training for the user, as it is to have the best equipment in the field.
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
In conclusion choose your tool wisely and always undergo an evaluation process to ensure you have the best possible solution. By following similar guidance several military units around the world now benefit from the power of XRY to help them achieve their CELLEX operational requirements in the fastest and safest possible manner. If you would like help in selecting the correct products for your operational needs, then please contact us.
msab.com
Contact Micro Systemation AB (Sweden) – Head Office Visiting Address: Hornsbruksgatan 28 SE-117 34 Stockholm Sweden Phone: +46 8739 0270 Fax: +46 8730 0170 https://www.msab.com/ Mailing Address: Box 17111 SE-104 62 Stockholm Sweden
References • www.msab.com • http://www.theatlantic.com/technology/archive/2012/12/the-cell-phone-in-war/265903/#.UL9Zlef70HU.wordpress • http://www.wired.com/2010/11/could-a-cell-phone-call-from-yemen-blow-up-a-plane/ • http://www.dtic.mil/dtic/tr/fulltext/u2/a510207.pdf • https://www.techdirt.com/articles/20080506/1156311045.shtml • http://www.theguardian.com/commentisfree/2014/aug/01/russian-soldier-alexander-sotkin-instagram-ukraine-selfies • http://arstechnica.com/tech-policy/2014/08/opposite-of-opsec-russian-soldier-posts-selfies-from-inside-ukraine/
WWW.DEFENCEINDUSTRYREPORTS.COM | 7
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
The Battle to Access the Phone in Your Pocket Mary Dub, Editor
While mobile devices such as cell phones and smart phones are integral to many people’s lives, they are and can be used to facilitate criminal activity or otherwise be involved when crimes occur, and much terrorist activity is a crime
It is perhaps only when you lose your mobile phone1 that the full reality of the quantity and type of information about your life that is recorded on it hits home. And with regular improvements in mobile phone capability, the amount and quality of that information grows exponentially. In the last 30 years, the civilian and military services have used access to this data to provide evidence for criminal, civilian and intelligence inquiries. In 21st century ‘hybrid warfare’, that is warfare that is covert, between non-state actors, with the widespread use of computers among potential criminal/paramilitary networks, access to data used by the enemy is vital to provide evidence for the courts or military intelligence. Retired US, Marine General James Mattis, highlights the features of this type of warfare – in hybrid wars we can expect to simultaneously deal with the fall out of a failed state that owned but lost control of some biological agents or missiles, while combating an ethnically motivated paramilitary force, and a set of radical terrorists who have now been displaced. We may face remnants of the fielded army of a rogue state in future wars, and they may employ conventional weapons in very novel or non-traditional ways. We can also expect to face unorthodox attacks or random acts of violence by sympathetic groups of nonstate actors against our critical infrastructure or our transportation networks. We may also see other forms of economic war or crippling forms of computer network attacks against military or financial targets.2
Digital Forensic Evidence and Hybrid Warfare There are several significant points to highlight here. The first is the central role of computers and computer networks that determine what activity is taking place and, if tracked, can lead to the perpetrators of violence. Second, the paramilitaries, terrorists, and sympathetic groups are part of a civilian society. This gives them rights not conferred on soldiers. In many cases the traditional distinction between civilians and soldiers, or potential terrorists have, and are, breaking down in 21st century warfare3. The 8 | WWW.DEFENCEINDUSTRYREPORTS.COM
recent convert to a radical form of Islam, may be a harmless citizen practising his religion freely, or a potential terrorist. The implications of this for forensic investigation of computer data and mobile phones is that the privacy protection afforded under law to civilians is offered also to potential intending terrorists, criminals or paramilitaries. This complicates access to phone data and the way that data must be investigated and handled.
21st Century Mobile Computing The data held on a mobile phone is worth listing, even if, for most phone users, it is taken for granted, because once the data is used as potential forensic evidence to notate activity, location, and intent it becomes highly revealing. Eoghan Casey in his book Digital Evidence and Computer Crime4 describes them. While mobile devices such as cell phones and smart phones are integral to many people’s lives, they are and can be used to facilitate criminal activity or otherwise be involved when crimes occur, and much terrorist activity is a crime. These handheld devices contain personal information including call history, text messages, e-mails, digital photographs, videos, calendar items, memos, address books, passwords, and credit card numbers. The devices can be used to communicate, exchange photographs, connect to social networks, blog, take notes, record and consume video and audio, sketch, access the Internet, and much more. As the technology has developed, higher data transmission rates are allowing individuals to transfer more data, like digital video. The computing power in these devices is equivalent to that in a laptop. But because of their small size they are taken everywhere. Many phones contain locators that can be used to determine a person’s whereabouts at any particular time.
The Value of Evidence Drawn From Mobile Computing Devices The value of mobile phone data in providing material for criminal prosecutions is familiar. Evidence has been provided for homicide and
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
Focussing specifically on the military intelligence applications of handset
msab.com
data, many mobile phones are used by terrorists for reconnaissance and coordination
HOMEMADE PIPEBOMB WITH MOBILE TRIGGER
other serious cases.5 But focussing specifically on the military intelligence applications of handset data, many mobile phones are used by terrorists for reconnaissance and coordination; criminal organisations and gangs use mobile devices to coordinate activities and share information, even when they are in prison. So the data from these handsets can be used to provide evidence or to track a person of interest to the security services. The Right to Track Individuals and Gather Data Since 9/11, in the United States very extensive rights have been granted to the security services to monitor data to protect Americans against further attack under the Patriot Act within the provisions of the Foreign Intelligence Surveillance Act (FISA). As Dianne Feinstein, the Democratic chairwoman of the Senate intelligence committee said, “People want the homeland kept safe�.6 WWW.DEFENCEINDUSTRYREPORTS.COM | 9
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
Privacy Versus Societal Protection and Digital Forensic Investigation Mary Dub, Editor
“Well my iPhone is locked, so is the tablet in my pack, and I know my rights, so you gon’ need a warrant for that. That, is the upshot of the Supreme Court’s unanimous ruling today in Riley v. California, which holds that police must get a judge’s approval before rummaging through the cell phones of people they arrest — closing a potentially massive loophole in the Fourth Amendment’s protection against unreasonable searches and seizures.”7 The Cato Institute 2014 Report on Riley v California
The role of this legislation is central to the way that investigators can access data on mobile devices in these countries for detection of criminal or terrorism purposes
T
HE FORENSIC investigation of mobile phones or computer data is a highly controversial and contested area of United States Federal and State Law. Similarly in the United Kingdom, civil liberties groups have and are seeking to defend privacy rights against new national security provisions. The hottest area of contention is the access to telephone call content and metadata, as well as computer records. There is an added layer of complexity given a recent ruling of the European Court of Justice on access to citizens’ data. Why is this important? First, the role of this legislation is central to the way that investigators can access data on mobile devices in these countries for detection of criminal or terrorism purposes. Secondly, this legislation dictates the methodology of investigation and how the data must be accessed and prepared to be admissible in a court of law in the United States or, conversely, at least not open to a legal challenge.
Legal and Ethical Restraints on Forensic Investigation to Mobile Phones Unravelling the legal complexity in the United States around the investigation of phone and computer records is a minefield for a writer unschooled in law. But perhaps over simplistically, the protection of the privacy of the individual began with the historical establishment of the Fourth Amendment to the American Constitution. This is important for investigators because it prohibits unreasonable searches and seizures and requires any warrant to be judicially 10 | WWW.DEFENCEINDUSTRYREPORTS.COM
sanctioned and supported by probable cause. This right has been limited by the Patriot Act of 2001 introduced by George W Bush in the wake of the 9/11 attacks. Its intention is to provide the appropriate tools to intercept and obstruct terrorism. In 2011 Barack Obama signed the Patriot Sunsets Extension Act of 2011, which permitted roving wiretaps, searches of business records and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups. The activities of the National Security Agency are overseen by the Foreign Intelligence court, which is established and monitored by Congress.
The United Kingdom’s Data Retention and Investigatory Powers (Drip) Law 2014 As a member of the European Union, the United Kingdom is under the jurisdiction of the European Court of Justice. Two important rights at the European Union (EU) level, are the right to privacy and personal data protection, which are two distinct, fundamental human rights protected by the Treaty on European Union and the Charter of Fundamental Freedoms, as well as by the legal systems of the twenty-eight EU Members. The Treaty on European Union states that every individual has the right to the protection of his/her personal data.8 So to protect the powers of the security services, the British Coalition government rushed9 through the current Data Retention and Investigatory Powers (DRIP) law (2014). This gives much wider powers to legal entities and the government to ask for access to data and metadata from the providers of electronic
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
msab.com
communications services. This new law places the balance between the rights to privacy of the individual versus societal protection firmly on the side of protection.10 Theresa May, the British Home Secretary, told the House of Commons: “Without this legislation, we face the very real prospect of losing access to this data overnight, with the consequence that police investigations would suddenly go dark and criminals would escape justice.” David Cameron, the Prime Minister said “I am simply not prepared to be a Prime Minister who has to address the people after a terrorist incident and explain that I could have done more to prevent it.”11
Edward Snowden and the Debate About the Abuse of Surveillance and Investigatory Powers of the Security Agencies The United States and the United Kingdom have a so-called ‘special relationship’ linked to a shared language, shared alliances and many shared values. However, there is one area where this increasingly undervalued relationship has great resonance and that is in shared national security intelligence and computer data. Few in Britain or the United States can know the full extent of this hand-in-glove relationship and what it means for day to day surveillance of the internet communications data and content, because of national security secrecy laws. However in 2013, Edward Snowden, a contractor working at the National Security Agency in the United States released through the New York Times and the Guardian a wide-ranging series of documents that revealed the extent of unconstrained surveillance
US MARINES IN THE DESERT BY AN OUTPOST
of the internet by the security agencies and the frequent and widespread use of data from communications services. As a result of this revelation, Edward Snowden had to flee the United States to Russia and has been accused of espionage. Standing beside Snowden on the privacy side of the debate, civil liberties campaigners are seeking to protect the individual and his or her right to private communications.
Why the Protection of Privacy is Important The nub of the privacy argument is the society that the security agencies are seeking to protect by intrusion is undermined and even destroyed by that very intrusion. There needs, of course, to be a balance between the right of privacy and the delivery of societal protection. And in a just society, some loss of privacy must be afforded for protection. The question of course, is how much? This whole ethical debate underpins any investigation of phones or computer data. WWW.DEFENCEINDUSTRYREPORTS.COM | 11
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
A Sound Forensic Investigative Process Don McBarnet, Defence Technology Writer
Forensics investigation involves the identification, preservation, extraction, documentation, and analysis of data
I
N THE military or civil investigation of a mobile phone and its data and/or metadata, the methods of approaching the task are bedevilled by procedures and technological constraints. In a report on Cell Phone Forensic Tools, Rick Ayers and others draw a clear distinction between the logical and physical acquisition of material. Physical acquisition implies a bit-by-bit copy of an entire physical store, for example a disk drive or RAM store. While logical acquisition implies a bit-by-bit copy of logical storage objects, like files and directories. The difference lies in the distinction between memory as a logical process seen through the operating system facilities versus a physical view of memory as seen by the processor and other hardware components. In general, Ayers claims, physical acquisition is preferable, since it allows any data remnants present to be examined, which otherwise would go unaccounted for in a logical acquisition. Furthermore, physical device images are generally more easily imported into another tool for examination and reporting. On the other hand, logical acquisition provides a more comprehensible organization of the information acquired.12
Forensic Investigation Forensic investigation implicitly states that the evidence provided by the process of investigation will be used in a court of law. It is a truism that each country in which this is the case, will have different laws on admissible evidence. Data that is being taken for the investigation of potential terrorist offences is also subject to the rule of law. Computer forensics investigation involves the identification, preservation, extraction, documentation, and analysis of data.
12 | WWW.DEFENCEINDUSTRYREPORTS.COM
Investigators need to follow clear, well-defined methodologies that can be adapted for specific situations. A copy needs to be prepared of the acquired digital media while retaining the integrity of the original. After examination of the recovered material and assessment, it must be documented. The compact size, range of operating systems, battery power and the combination of both volatile and non volatile memory systems make mobile phones, smart phones and other devices, like tablets, harder to assess.
Useful Criteria in Assessing Forensic Investigation Technologies Although the list of criteria that Ayers offers may now appear slightly dated in the face of the frequent and regular changes in the mobile phone and mobile computing industry, it has value in stating broad principles. First, Ayers offers usability or the ability to present data in a useful form. The tool also needs to be comprehensive in being able to access all the data available. For forensic use, accuracy is also important, as is the ability to be able to replicate a process in several iterations. Quality, acceptance by industry and users and the support for its features are all vital. And in today’s market, affordability never ceases to be critical. Finally, the forensic process is at base an adversarial process and evidence and its provenance will always be subject to challenge in court, therefore the words of Philip Aaron offer a useful summary “you will have every aspect of your technical competence and methods scrutinized to their very core. As such, it is imperative that you use a deterministic, repeatable process that is clear, concise and simple. Adherence to this process is the examiner’s greatest asset. Deviate from it, and your investigation will be for naught.13”
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
The Global Market for Digital Forensics Rises Don McBarnet, Defence Technology Writer
and Africa all point to great potential in the use of investigative tools, as many devices are used, also, for fraudulent or illegal purposes, or were present at a potential crime scene. The widely reported trial15 of the Paralympian, Oscar Pistorius in Pretoria, South Africa is a good example of the increasingly widespread use of digital device data.
msab.com
Challenges to the Market
US SOLDIER ON PATROL
A
RECENT global market report for digital forensic products and services paints a buoyant picture of this expanding industry. Published by Industry ARC14, a summary of the results show that the global digital forensics market had revenues of around $1.4bn in 2013 and is expected to grow at a CAGR (Compound Annual Growth Rate) of 10.5% during 2013 – 2018. A key driver is the penetration and increasing usage of mobile device-based work options. Increased cloud computing and computers in households in the Asia Pacific region, are also seen as major drivers for the market. Although, the American market is the most vigorous, worth around 65% of global market share, other countries are offering vigorous competition. The high and still rising market for mobile phones and smart phones across Europe, the Middle East
While more and more people worldwide are using mobile phones combined with networked data, the range of phones available on the market to be investigated becomes ever more varied. This is one of the foremost challenges to the industry. An added layer of complexity is the constantly changing proprietary operating systems, software and closed development cycles. With increasingly high percentages of mobile phones being linked to cloud-based storage, the retrieval of files can become cumbersome. Investigators face literally tens of thousands of different types of phones and unique operating systems. This is a tough task. Nevertheless, the industry remains innovative, resilient and is experiencing growth.
British Police Market for Digital Forensic Technology The British police have been early adopters of digital forensic technology and use many of the available proprietary brands including, Micro Systemation. However, in a climate of economic austerity that is prevalent across much of Europe, police budgets have been cut and can expect to be constrained significantly in the short to medium term. As the British Chief Inspector of Constabulary16 put it – austerity is set to continue. Forces need to move from surviving budget reductions to thriving in a world of sustained cost reduction. So spending in the British market for a valuable product will be there, but it will be constrained.
WWW.DEFENCEINDUSTRYREPORTS.COM | 13
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
The Future of Digital Forensic Technology Mary Dub, Editor
With the emergence of terrorist activity in many Western and Middle Eastern countries, the demand for protective access to phone records, metadata and other files may well increase
I
T IS a brave crystal ball gazer who makes definite predictions about an energetic and competitive industry such as the mobile computing market. The mobile computing industry is invested in by some of the richest and most innovative companies in the world Apple, Samsung, Microsoft, to mention just the big names. Each is capable of revolutionising the mobile computing market in a period of months. So the trend for an increasingly sophisticated and diverse market of mobile computers to investigate is set to continue. With the emergence of terrorist activity in many Western and Middle Eastern countries, the demand for protective access to phone records, metadata and other files may well increase. Spending on security budgets is frequently more protected from cuts than general policing costs, because the public outcry from the failure to prevent a terrorist event could potentially embarrass a government. More authoritarian governments will have fewer qualms about increasing the size of security budgets and equipment bills to pay for it.
Cyber Security and Concealment While many forensic investigators are able to offer increasingly sophisticated software, cabling and access in their products, those wishing to conceal their data will without doubt be able to develop equally complex and encrypted systems to hide their information. Some criminals are aware of the risks associated with their use of mobile devices. To avoid detection, members of some criminal operations may use multiple SIM cards or prepaid mobile devices that are difficult to trace and inexpensive enough to be effectively disposed of after use, like a drug dealers burner.17 After a SIM card or mobile device has been used for a prolonged period, criminals may attempt to destroy them to thwart data recovery. However, some useful information can be derived from damaged mobile devices or SIM cards. Ironically, and unfortunately for criminals, they are subject to human error and may overlook their own personal mobile devices that may 14 | WWW.DEFENCEINDUSTRYREPORTS.COM
provide digital investigators with another insight into their activities.
The Risk of Remote Deletion Eoghan Casey raises the valid issue that digital investigators are familiar with, that mobile devices can and do connect to various networks via cellular towers, WiFi access points, and Bluetooth. The networked nature of mobile devices creates opportunities and dangers from a forensic standpoint. The connected networks themselves can generate useful information related to mobile devices. Conversely, they can also enable offenders to obliterate incriminating evidence on a device remotely. For instance, Apple provides a web-based service to remotely wipe a lost or stolen iPhone, and organizations that centrally manage Blackberry devices can remotely wipe a specific device from Blackberry Enterprise Server.
The Prevention of Remote Deletion or Interference Some devices can be reconfigured to prevent communication with the network. Devices that do not have such a feature can be isolated from radio waves by placing them in Faraday isolation, such as radio frequency shielded evidence containers, which block network communications. Signal jamming systems provide another means for preventing mobile devices from communicating with a network, but this type of equipment is illegal in some jurisdictions. Network isolation practices must be maintained during forensic analysis, and this is achieved with shielded mobile phone examination rooms or extraction cases.
The Use of Mobile Phone Remotely Without Knowledge of the Owner Mobile phones can also provide a good deal of evidence even if they are not in the hands of the examiner. Since mobile phones are constantly communicating with their network by sending pings to the nearest tower, a phone’s location can be tracked to a degree by which tower it is receiving signal from. As a suspect moves, any calls they make can be tracked based on the
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
handoffs that the towers make. Since a tower only covers a few square miles, the signal from a phone can actually be tracked within a few hundred yards. Phones with GPS are even easier to track when they are turned on because that feature can be accessed to find the location of the phone in real time.
msab.com
Remote Listening Another way security services can use mobile phones to get evidence is by eavesdropping on a suspect’s conversations. There are legal barriers that require a warrant before the phone tapping is done, and rules that restrict how the evidence must be obtained, but it is said to be one of the best methods. Mobile phones operate on radio frequencies that can be monitored by commonly available radio frequency scanners. One of these scanners is the SecPro Cell Interceptor. It is nondetectable, high performance, upgradeable, and can intercept and log multiple frequencies at once. It also has an RF triangulation locator that can pinpoint a signal’s source with almost GPS accuracy18. Forensics experts can also use mobile phones to get evidence by remotely installing a feature that allows investigators to turn the phone’s microphone on and transmit any audio picked up. This piece of software is invisible to the phone’s owner, but can even be used when the phone is off. In this way security services can listen in to a suspect’s conversations while they are in the vicinity of the phone. For the man or woman in the street the idea that someone could be listening to you speak, while your mobile phone is switched off, is deeply troubling. The innovative capability of investigative digital forensic technology should not be underestimated. Advanced students of forensic investigation in India, Malaysia and the United States are placing their work on the Internet, and many new journals are reflecting on the development of this new and developing area of study. It is disquieting that the debate about the value of a citizen’s privacy becomes ever quieter, meanwhile the mobile phone in your pocket provides scant hiding place for those being tracked by the security services.
IRISH SOLDIER ON THE PHONE
WWW.DEFENCEINDUSTRYREPORTS.COM | 15
SPECIAL REPORT: INNOVATIONS IN FORENSIC TECHNOLOGY FOR MOBILE DEVICE EXAMINATION
References: I am using the British term mobile phone as this article is published in Britain. Cell phone is the American term.
1
2
US Naval Institute Proceedings Magazine
Issue: November 2005 Vol. 132/11/1,233Future Warfare: The Rise of Hybrid Wars
By Lieutenant General James N. Mattis, USMC, and Lieutenant Colonel Frank Hoffman, USMCR (Ret.)
Remember General Krulak’s Three Block War? Are you ready for the Four Block War?
3
General Sir Rupert Smith ‘war among the people’
https://www.icrc.org/eng/assets/files/other/irrc_864_interview_rupert_smith.pdf Digital Evidence and Computer Crime, Third Edition© 2011 Eoghan Casey. Published by Elsevier Inc. All rights Digital Evidence on Mobile
4
Devices Eoghan Casey and Benjamin Turnbull Digital Evidence and Computer Crime, Third Edition© 2011 Eoghan Casey. Published by Elsevier Inc. All rights Digital Evidence on Mobile
5
Devices Eoghan Casey and Benjamin Turnbull
6
Anger swells after NSA phone records court order revelations
http://www.theguardian.com/world/2013/jun/06/obama-administration-nsa-verizon-records 7
http://www.cato.org/publications/commentary/supreme-court-tells-cops-back-cell-phone The Supreme Court Tells Cops to Back Off Your Cell Phone By Julian Sanchez The Daily Beast on June 25, 2014.
8
9
10
ECJ ruling on data retention http://www.loc.gov/law/help/eu-data-retention-directive/eu.php The Data Retention and Investigatory Powers (Drip) law that went from announcement to enactment in eight days in 2014 UK’s Drip law: cynical, misleading and an affront to democracy Julia Powles18.07.2014
http://www.theguardian.com/technology/2014/jul/18/uk-drip-ripa-law-sceptical-misleading-democracy-martha-lane-fox 11
http://www.theguardian.com/world/2014/jul/10/david-cameron-concessions-snooping-law-surveillance Patrick Wintour, Rowena Mason and James Ball Thursday 10 July 2014 20.55 BST
12
http://csrc.nist.gov/publications/nistir/nistir-7250.pdf Cell Phone Forensic Tools: An Overview and Analysis Rick Ayers Wayne Jansen Nicolas Cilleros Ronan Daniellou Computer Security October 2005
13
Hacking Exposed Computer Forensics, Second Edition: Computer Forensics ... By Aaron Philipp, David Cowen, Chris Davis
14
http://industryarc.com/Report/47/global-digital-forensics-market.html
15
Global Digital Forensics Market – Global trends, Market Analysis, Competitive Landscape, Recent Developments, Value market, Forecasts to 2018 Oscar Pistorius older brother may have deleted phone messages, book claims Thursday 2 October 2014 17.19 BST
http://www.theguardian.com/world/2014/oct/02/oscar-pistorius-phoned-ex-girlfriend-book 16
17
HMIC Overview https://www.justiceinspectorates.gov.uk/hmic/wp-content/uploads/state-of-policing-13-14.pdf State of Policing The Annual Assessment of Policing in England and Wales 2013/2014 Burners are throwaway prepaid cellphone, typically used by drug dealers. Burners are used until the minutes are up, then thrown away so they cannot be tapped.
18
http://web.mst.edu/~mobildat/cell%20phone%20forensics/index.html Cell Phone Forensics
16 | WWW.DEFENCEINDUSTRYREPORTS.COM
Defence Industry Reports… the Defence Industry Reports….the leading specialist combined leading specialist online research andcombined networking online research and networking resource for senior military and resource for senior military and defence industry professionals. defence industry professionals.
• Up minute Industry News other content available • to Upthe to the minute Industryand and Technology Technology News andand other content available to to allallsite users on a free of charge, open access basis. site users on a free of charge, open access basis. • Qualified signed upupmembers abletoto access premium content • Qualified signed members are are able access premium content SpecialSpecial Reports andand interact with usinga variety a variety of advanced Reports interact withtheir their peers peers using of advanced onlineonline networking tools. networking tools. • Designed to help usersidentify identify new solutions, understand the the • Designed to help users newtechnical technical solutions, understand implications of differenttechnical technical choices select the the bestbest solutions implications of different choicesand and select solutions available. available. • Thought Leadership Advice and from internationally recognised • Thought Leadership – -Advice andguidance guidance from internationally recognised defence industry key opinion leaders. leaders defence industry key opinion • Peer Input - Contributions from senior military personnel and defence industry • Peer Input – Contributions from senior military personnel and defence professionals industry professionals. •
Independent Editorial Content - Expert and authoritative analysis from award
•
Unbiased Supplier Provided Content
•
Designed to facilitate debate
• Independent Editorial Content – Expert and authoritative analysis from winning journalists and leading industry commentators award winning journalists and leading industry commentators. •
Unbiased Supplier Provided Content.
•
Designed debate. • Writtento tofacilitate the highest professional standards
•
Written to the highest professional standards.
Visit: www.defenceindustryreports.com