Con “mobile forensics” si intende l’analisi di dispositivi mobili quali cellulari, I-Pod, sistemi di comunicazione wireless, telefoni satellitari,ecc.. Questi elementi sono potenzialmente in grado di contenere una grande quantità di informazioni: basti pensare ai dati in esso contenuti e, nel caso dei cellulari, a quelle relative alle azioni dell'utente quali, ad esempio, la sua radiolocalizzazione.
Le informazioni recuperate quindi dai dispositivi mobili sono sempre più richieste come prove, in indagini della Magistratura visto che questi dispositivi sono spesso a disposizione di soggetti coinvolti in attività criminali e che l'Italia è in cima a tutte le classifiche per tasso di penetration and number of mobile phones owned by each user .
The mobile phone forensics:
The fast development of mobile telephony means that mobile phones are becoming increasingly powerful tools with more functionality and therefore need to define a methodology rigorous investigation to which to refer.
Since Terminal UMTS (Universal Mobile Telecommunications System) technology mobile third-generation successor to GSM soon supplant all other protocols, è un computer a tutti gli effetti, si vanno definendo procedure molto simili a quelle adottate con i computer con strumentazioni e problematiche però molto differenti.
Introduzione
Un telefono cellulare è un sistema dedicato composto da una CPU, una RAM, una SIM o USIM (l’equivalente di una SIM nel protocollo UMTS).
La tecnologia tipica dei cellulari sia essa GSM, GPRS o UMTS, fa in modo che non sia il radiotelefono a contenere i dati dell'abbonato ma la, SIM-Card (Subscriber Identity Module), una smartcard ("carta intelligente") da inserire nell'apparecchio you want to use. It is associated with a serial number that the computer systems of a telephone operator traced back to a customer of its mobile services. The SIM-card, removable from the mobile phone contains a chip with volatile and nonvolatile memories.
subscription then points to the SIM card and not to the radiotelephone. The persistent data that characterize the user are recorded by the mobile operator in the memory areas read-only "SIM protected so as not to be accessible to ordinary users. They relate to the identity IMSI (International Mobile Subscriber Identity) mobile subscriber, the authentication key of the customer " KI" (Key Identity), the algorithms used for such activity and also for encryption of the conversation. The user, as noted, remain accessible fields for entering codes PIN (Personal Identification Number) which must be entered each time you turn the device to enable the use of SIM. and PUK (PIN Unblocking Key) used to unlock the card.
Dealing with phones means dealing not only voice signals but more and more pictures, video, SMS, email, etc..
Analysis of cell: isolation, cloning and moving
An active mobile phone has several problems both at the time of the discovery in the subsequent analysis:
· move the connected device to the telecommunications network means almost certainly alter the content at the time of the change of cell
· the active device can continue to receive calls and messages that can lead to further alterations (apart from the fact that these receipts can be useful whether or not a point of view, investigative).
The first thing to do when you seize a phone is electromagnetic isolation, and if this is not possible, turn off. Then shut down you can make separate copies of the terminal's memory and SIM card and then proceed to the analysis of data using a suitable workstation.
constraints investigative
The finding at the scene of mobile phones, and their subsequent forensic analysis in the laboratory, is an area of \u200b\u200bstudy recently emerged as an appendix of forensic computing and now overwhelmingly in vogue as a separate area because of the discrepancies that have arisen due to the following factors:
· portability of the devices under analysis
· use special interfaces, batteries and hardware stranger to computers and servers
· massive use of volatile memories in perpetual power to replace the mass storage warehouse used as a semi-permanent data
· the presence of states of "idle" or automatic hibernation, to combat waste of limited energy stored in batteries, which also lead to unwanted changes of data memory and sometimes simulate situations off of the devices (eg monitors black, insensitivity to the keys, etc.).
· the absence of a universal standard construction, - determining the existence of families of devices that can provide the same digital services based on substantially different hardware and whose approach during forensic analysis must be different
· the continued production of new phones and smart phones
· the presence of operating systems, ad hoc nature of proprietary and therefore not open
The principles of forensic computing, which the immutability of the data of the exhibit, the logging of investigations, must still be followed even in the analysis of cell and found in it.
The phone at the crime scene
Turning off the device, even if used to prevent that anyone with access to physically doing any damage, it is not the best approach of all, and certainly not one that provides the analysis results in the shortest possible time. This is because:
· the system off may be asked, during reactivation, a PIN unknown
· the battery tends to run down slowly until you run out hence the need for the acquisition of its power;
· batteries can be more and some of them, if removed or exhausted can cause permanent loss of data.
Find a specialist in a position to proceed with the examination of the device (not off!) Near the falls of the crime would be optimal, provided that everything is done in a screened room.
In this regard have been made several very useful devices for real-time analysis and transportation. For example, Jamming devices, tents and containers shielded Faraday .
content analysis mobile phones
methods for the analysis of SIM and smart phones are constantly updated and are implemented through both hardware and software tools. It becomes important for the analysis to understand what type of mobile phone use was concerned, and appropriate methods and tools to quickly detect the most appropriate information. In this regard, mobile devices are divided basically into three categories:
Basic phone: implements SMS and voice call;
Advanced phone: implements the services of more basic - EMS, a form of SMS-based chat, a link to an email server for managing a particular box, and navigation on WAP
high-end phone: expands services of advanced phone to the broader spectrum of the full instant messaging (IM) support a specific application such as client software, multimedia messaging with MMS, e-mail supporting the protocols POP / IMAP and SMTP as well as the possibility of real sailing over the Internet using HTTP .
For each of these categories of phone you have to make a different type of analysis because they are very different are clearly observable and hidden information. Smart phones are obviously high end phones that require more advanced analysis.
The SIM / USIM
In contrast to the SIM card media units are highly standardized and uniform with a well-known interface protocols. For this reason they are born of software tools that work with smart card readers which are able to copy data from low-level SIM and then interpret them by providing information useful technical investigator.
The hardware Phone
analysis hardware and smart mobile phones, excluding SIM card and the media, the activity is more complex but also one that produces an average of a considerable amount of research results.
The analysis can be conducted on three possible levels, namely:
1. noninvasive : copy of the data and rebuild using specialized interface that connects the PC to a mobile terminal which, with a special software takes control of the embedded system - is a great way to detect deleted data (eg SMS, MMS, etc.).
2. semi-invasive : room using the screen interface of the mobile system that operates on the SIM / USIM card inserted and operational - fast and secure method but limited data about the variety of removable;
3. invasive : copy of the data by drawing physical memory chips - very good and complete, especially in the presence of broken systems, but hardly repeatable in nature.
A new tool but ... eye to privacy!
A new tool, called Cell Phone SIM Card Spy allows you to recover data that you deleted. To use it (it's a USB key) just insert your SIM card into your device and connect it to pc: on your computer so you can read and edit all the information stored on the card, including deleted messages
two main functions: the light and the recovery of data. This is possible through the Recovery PRO software . The former can be achieved by the SIM card spy software .
Ultimately you can delete, edit, save the information in own SIM card, in case you need to change SIM card or phone as well as retrieve information that is believed lost forever.
Todd Morris, president of BrickHouse producer told the New York Post that with this tool " About half of married people find something negative about the partner's mobile phone. They think they have deleted their messages, but they are wrong . To justify the use the company says that this device is useful (also) for parents to control their children e ai manager di un'azienda per controllare l'uso che i propri dipendenti fanno dei telefonini aziendali.
Occorre ricordare che Cell Phone Sim Card Spy è un dispositivo che viola la privacy, anche nel caso in cui lo si utilizzi per controllare i propri figli, ma Morris ha comunque un suggerimento per chi è preoccupato della propria privacy: " Prendete la SIM card e distruggetela, o tagliatela. Questo è l'unico modo per avere una garanzia che i dati vadano persi ".
Se utilizzato per l’analisi forense va ovviamente collegato ad un write blocker che va interposto tra di esso e il computer che esegue analysis, to ensure access to the SIM card in read-only.
Bibliography:
www.wikipedia.it for the meaning of technical terms
Article by Marco Mattiucci, "Mobile forensic" by www.marcomattiucci.it
Article by Massimo Adduci, "Mobile forensic" from www.cybercrimes.it
0 comments:
Post a Comment