Mobilforensiska verktyg : Kontaminering i fokus

Rosenberg, Robin, Palmgren, Erik

January 2014

Den stigande populariteten av mobila enheter har inte bara lett till en smidigarevardag med snabb tillgang till e-post och sociala medier utan aven blivit ett allt mervanligt instrument anvant vid kriminella handlingar. Detta har medfort ett behov attkunna undersoka dessa enheter pa ett sakert satt utan att riskera att bevis blirkontaminerade. Det har arbetet har undersokt de mobilforensiska verktyg somanvands av Polisen och deras tillvagagangssatt vid utredning. Genom att anvanda ossutav Polisens tillvagagangssatt och deras verktyg sa har vi utfort experiment ochintervjuer for att undersoka om data forandras vid utvinning. Experimenten pavisaratt data forandras vid utvinning med ett givet verktyg medans intervjuerna visarskiftande asikter bland Poliser och utvecklare gallande kontaminering.Resultatet fran experimentet visade oss att verktyget UFED raderat bevisfiler frananvandardatan pa en enhet under utvinning. Polisens nonchalans gallandekontaminering bor uppmarksammas da en av deras anvanda verktyg visade ettresultat som kan ha en avgorande roll vid utredning. / The rising popularity of mobile devices has not only led to a smoother way of livingwith quick access to email and social media, but has also become an increasinglycommon instrument used in criminal activity. This has led to a need to investigatethese devices safely without risking the integrity of the evidence. This paper hasexamined the mobile forensic tools used by the Swedish Police and their procedureused in investigations. By following the same procedures and using the same tools,we have conducted experiments and interviews to investigate if data changes duringthe extraction. The experiments demonstrate that the data changes duringextraction of a given tool, while the interviews shows diverse opinions among thePolice and developers behind these tools regarding contamination. The results fromthe experiments showed us that the tool UFED erased evidence files from theuserdata on a device during extraction. The Police negligence regardingcontamination should be attended to, since one of their used tools showed resultsthat could have had a critical impact in an investigation.

Kontaminering

mobilforensik

xry

ufed

Uppe bland molnen : Tvångsmedlet genomsökning på distans RB 28:10 och utvinning av molndata tillhörande Googletjänster

Dahlstrand, Elsa, Dahl, Moa

January 2023

Det sker en kontinuerlig digitalisering i världen vilket innebär en utmaning för samhällets lagstiftning, till följd av att lagstiftning är tids- och resurskrävande. Detta är något som kriminella utnyttjar i och med att deras verksamhet har flyttats alltmer till den digitala världen. Kriminell verksamhet som genomförs med hjälp av molntjänster har varit svårt att bekämpa, då det inte är säkert att den data som skapas i molntjänster också lagras i samma land. Arbetet att samla in denna data har för svenska myndigheter därför varit krångligt, och i vissa fall, omöjligt. Det var först i juni 2022 som en lag trädde i kraft, RB 28:10 genomsökning på distans, som gjorde det möjligt för utredare att gå in i molntjänster och leta efter bevismaterial.  I denna uppsats har semi-strukturerade intervjuermed IT-forensiker och åklagare genomförtsoch analyserats.Resultatet visar att upplevelsen av lagen är positiv; att den kom hastigt men att den var behövlig. Däremot har den skapat mer arbete för IT-forensiker som en konsekvens. Kompletterande har ett experiment av molndata tillhörande ett Google-konto undersökts med hjälp av två IT-forensiska verktyg, vilket resulterat i att en skillnad i verktygens identifiering av raderad data uppmärksammats. Slutligen påvisar uppsatsen och dess resultat att lagen,genomsökning på distans, och utvinning av molndata försett brottsbekämpningen med data av högt bevisvärde och möjliggjort utredningar som tidigare inte var möjligt enligt lag. / The constant digitalization of our world poses a challenge to our governments in developing laws correspondingly. This divergence is something cybercriminals exploit. Criminal activity taking place in the cyberspace, specifically through cloud platforms, has been difficult for law enforcement to regulate and prosecute, partially due to the information needed is kept in servers outside of jurisdiction. In Swedish law enforcement this has caused the acquisition of valuable cloud data, in some cases, impossible, consequently leading to unsolved cases. As of June 2022, a new law regarding means of coercion took effect which enabled the recovery of account specific cloud data. In this work semi-structured interviews, with IT-forensics and prosecutors, were conductedand analyzed. The result shows that the experience of the law is positive, that it came abruptlybut that it was necessary. However, it has created more work for IT-forensics as a consequence. In addition, an experiment involving cloud data belonging to a Google account has been investigated with the help of two IT-forensic tools, which resulted in the observation of a variation in the tools' identification of deleted data. Finally, the paper and its findings demonstrate that the law and cloud data mining have provided law enforcement with high probative value data and enabled investigations previously not lawfully possible.

IT-forensics

Digital Forensics

Means of Coercion

Cloud Forensics

Magnet AXIOM

Cellebrite UFED Cloud

Google services

Tvångsmedel

RB 28:10

Genomsökning på distans

Digital forensik

Molnforensik

Magnet AXIOM

Cellebrite UFED Cloud

Googletjänster

Computer and Information Sciences

Data- och informationsvetenskap

Forensic Analysis of GroupMe on Android and iOS Smartphones

Tanvi Milind Gandhi (11205891)

30 July 2021

The growing popularity of instant messaging has led to the conception of several new applications over the span of the past decade. This has opened up an attack surface for cybercriminals to target susceptible app users. GroupMe is a free IM app widely used by students and so far, no comprehensive forensic analysis has been performed to aid forensic practitioners in recovering evidence from GroupMe on smartphones. This research performs a detailed analysis of the digital artifacts left by the app on Android and iOS devices. This was achieved by installing the app on two mobile phones (Samsung Galaxy S7 Edge and iPhone 6), and identifying each artifact created by performing a series of actions in the app ranging from sending texts, to sharing images and documents, along with their location. Using Cellebrite UFED and Magnet AXIOM, a significant number of artifacts were accurately recovered mainly from the “GroupMe.sqlite” and “GroupMe.sqlite-wal” databases. Out of the 335 artifacts populated on the iPhone, 317 were correctly recovered by both UFED and AXIOM, resulting in an accuracy of 94.62%. No GroupMe related artifacts could be recovered from the Android device. This was due to several physical imaging and rooting limitations imposed by the Samsung SM-935A model, which was used during the study.

Uncategorized

Digital Forensics

Cyber Forensics

Mobile Forensics

Forensic Analysis

GroupMe

Android Forensics

iOS Forensics

UFED Cellebrite

Magnet AXIOM

Forensic Analysis of Navigation Applications on Android and iOS Platforms

Neesha Shantaram (11656642)

19 December 2021

<div>With the increased evolution in technology over the past decade, there has been a gradual inclination towards utilizing advanced tools, like location-based applications which incorporate features such as constant route or traffic updates with Global Positioning System (GPS), among</div><div>others, which aid in smooth living. Such applications gain access to private information of users, among their other life hack qualities, thus producing a highly vulnerable ground for data exposure such as current location. With the increase in mobile application-based attacks, there exists a</div><div>constant threat scenario in terms of criminal activities which pose an ultimate challenge while tackling large amount of data. This research primarily focuses on the extent of user-specific data that can be obtained while forensically collecting and analysing data from Waze and HEREwego</div><div>applications on Android and iOS platforms. In order to address the lack of forensic research on the above mentioned applications, an in-depth forensic analysis is conducted in this study, utilizing Cellebrite, a professional tool to provide and verify the evidence acquired, that aid in any digital forensic investigations. On the Waze application, 12 artifacts were populated on the Android device and 17 artifacts on the iOS device, out of which 12 artifacts were recovered from the Android device (100% of the artifacts populated) and 12 artifacts from the iOS device (70.58% of the artifacts populated). Similarly on the HEREwego application, 14 artifacts were populated on the Android device and 13 artifacts on the iOS device, out of which 7 artifacts were recovered from the Android device (50% of the artifacts populated) and 7 artifacts from iOS device (53.84% of the artifacts populated).</div>

Technology not elsewhere classified

Digital Forensics

Mobile Forensics

Cyber Forensics

Android Forensics

iOS Forensics

GPS

Navigation

Mobile applications

UFED Cellebrite

Waze

HEREwego