Often you find that analysts will differentiate into a given specialization (computer forensics, mobile device forensics, etc...) within an organization.
This can lead to overspecialization and in effect cause an analyst to overlook potential evidence. We will use, for the purpose of this post, the example of the common division of examination tasks between cellphone forensic and computer forensic analysts.
Modern mobile devices blur the line between the two disciplines. Mobile device data can exist on the computer, the mobile device (internal memory, SIM, removable media) itself, and the cloud. A large number of new analysts and new organizations ignore the wealth of mobile device related data that can be found using computer forensic examinations. A potential wealth of historic data may be present in the form of mobile device backups. Often, minimally, the IMEI or ICCID can be found stored on the computer by a mobile device backup application for a device previously backed up.
In the link below is a "Mobile Device Backup Locations" document focusing on Samsung, Sony Android, Blackberry, iOS, Sony Maemo, and Symbian backups. It's not an all inclusive document, but the majority of the information was derived empirically with test phones that I had on hand. The document does not address the analysis or exploitation of the backups or devices, there are a wealth of other material available on that subject a google away.
Download: Miyake - Mobile Device Backup Locations v1.0 Release - 20141211
I would appreciate any errata, information, suggestions. I put this document together late last year and it has been stagnating on my drive since, so I'm pushing it out to the world for a good airing. Thanks.
This can lead to overspecialization and in effect cause an analyst to overlook potential evidence. We will use, for the purpose of this post, the example of the common division of examination tasks between cellphone forensic and computer forensic analysts.
Modern mobile devices blur the line between the two disciplines. Mobile device data can exist on the computer, the mobile device (internal memory, SIM, removable media) itself, and the cloud. A large number of new analysts and new organizations ignore the wealth of mobile device related data that can be found using computer forensic examinations. A potential wealth of historic data may be present in the form of mobile device backups. Often, minimally, the IMEI or ICCID can be found stored on the computer by a mobile device backup application for a device previously backed up.
In the link below is a "Mobile Device Backup Locations" document focusing on Samsung, Sony Android, Blackberry, iOS, Sony Maemo, and Symbian backups. It's not an all inclusive document, but the majority of the information was derived empirically with test phones that I had on hand. The document does not address the analysis or exploitation of the backups or devices, there are a wealth of other material available on that subject a google away.
Download: Miyake - Mobile Device Backup Locations v1.0 Release - 20141211
I would appreciate any errata, information, suggestions. I put this document together late last year and it has been stagnating on my drive since, so I'm pushing it out to the world for a good airing. Thanks.
No comments:
Post a Comment