7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

1/10

Mobile forensic

analysis forsmar012ones

(C) Oxygen Software, 2000-2008http://www.oxygen-forensic.com

ISS World Europe 200/

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

2/10

(C) Oxygen Software, 2000-2008http://www.oxygen-forensic.com

Purposes of phone forensics

! Extracting complete and unaltered information fromcell phones, smartphones, PDA etc.

! Analying extracted information and finding

evidences.! Preparing forensic reports that can be presented in

a court.

! Proving data authenticity.

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

3/10

Smartphones market growth

(C) Oxygen Software, 2000-2008http:www.oxygen-forensic.com

Source: Canalys estimates , J canalys.com ltd, 200/

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

4/10

3okia 5667

Nowadays

Phonebook

Speed dials

Calls history

SMS messages

Monophonicmelodies

General phoneinformation

PhonebookCalendar

TasksNotes

Caller groups

Speed dials

Event log

Profiles

Gallery files Oavaapplications and

games

Multiple contact

fields of thesame type

Personal settingsfor contacts

MessagesMessage folders

Generalphone

information LifeBlog

GPS

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

8 years ago

Mo8ern smar012one

Cell phones evolution

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

5/10

977:

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

9777

Communication protocols evolution

AT=

Contacts

Rsimple, calls,SMS, filesU,settingsU

Very slow

Depends onimplementation

Developed forsynchroniation

3okia >?@S

Almost all

information ndocumented

Not forsmartphones

Depends onimplementation

Developed forsynchroniation

B?CD

Contacts,calendar, files

Depends onimplementation

Developed forfiles and objectsexchange

SyncML

Contacts,

organier,settings,messagesU

Developed forsynchroniation

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

6/10

The striking discrepancy between data extracted by standard logical forensic tools andprotocols and data which is stored in the devices and can be used for forensic

investigations is quite obvious.

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

Phonebook CalendarTasks

NotesCallergroups

Speed dials

Event logProfiles

Galleryfiles

Oavaapplicationsand games

Multiple contactfields of thesame type

Personal settingsfor contacts

Messages

Custom messagefolders

Standardmessagefolders

General phoneinformation

LifeBlog activity

Deleted messagesinformationFull memory

dump

Smartphones and standard protocols

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

7/10

There are 3 ways to get forensic information from smartphones: logical analysis,

physical analysis and using a special agent application working inside smartphone S

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

How to extract information]

Physical analysis

All information canbe extracted

Hard to perform

Very hard to analye

Expensive software,special hardware

needed

Analysis using Agentapplication

Most of theinformation can be

extracted

Easy to perform

Easy to analye

Affordable software,no special hardware

needed

Logical analysis

Very few informationcan be extracted

Easy to perform

Easy to analye

Affordable software,no special hardware

needed

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

8/10

We at xygen Software use an agent application approach. The Agent works inside asmartphone, has access to all device APIs and implements custom communication

protocol to extract almost all forensic information needed

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

Phonebook CalendarTasks

NotesCallergroups

Speed dials

Event logProfiles

Galleryfiles

Oavaapplicationsand games

Multiple contactfields of thesame type

Personal settingsfor contacts

Messages

Custom messagefolders

Standardmessage

folders

General phoneinformation

LifeBlog activity

Deleted messagesinformationFull memory

dump

Agent application usage

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

9/10

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

Data authenticity and other concernsoes 1u00ing agen0 in0o smar012one c2ange i0s informa0ionI

No. Smartphones have different memory areas for data and applications.

Are 02ere ano02er Jay 0o eK0rac0 full informa0ion from smar012onesIYes, with restrictions8 physical analysis.

2a0 informa0ion can be eK0rac0e8 by agen0 a11lica0ionIAll the information available for native S applications.

2a0 informa0ion canno0 be eK0rac0e8 by agen0 a11lica0ionIMemory dumps and protected system files8 usually this information scarcely useful forforensic analysis.

2a0 are 02e main a8van0ages of using agen0 a11lica0ion a11roac2I

Extracting complete information and presenting it in a structured and easy to analye way.All this8 using standard cablesadapters and with affordable price.

s agen0 a11lica0ion able 0o rea8 8ele0e8 informa0ionIIf this information is stored by operating system8 yes. For example, xygen Forensic Suitereads information about SMS messages recently deleted from phone memory.

7/28/2019 34_200810-ISS-PRG-OXYGEN.pdf

10/10

xygen SoftwareFeodosiyskaya st. 1, Moscow,

11`21, ussia

Phones:+1 R/`` 9-YGEN RSA

+44 020 /133 /40 RK

+`-49-222-92`/ Russia

www.oxygensoftware.com

www.oxygen-forensic.com

RC xygen Software, 2000-200/http:www.oxygen-forensic.com

Interested in more details]