Rising mobile attacks prompt forensics experts to go beyond automated extraction tools

UK – Malware and cyber criminals are increasingly targeting mobile devices, with Kaspersky Labs reporting a jump from under 350,000 to 1.3 million attacks between 2013 and 2014i, demand for digital forensics investigators with mobile device expertise is increasing.

However, according to Cindy Murphy, a highly regarded expert within the field, the industry is still relying on tools that are not keeping up to date with the level of sophistication more targeted attacks are exhibiting, "Commercial mobile forensic tools automatically parse some of the data from smartphone extractions, but much more is left behind, unparsed, waiting for examiners to find it. Many people don't look beyond what is automatically parsed by the tools, and great evidence can be totally missed."

Murphy, a Detective with the City of Madison, WI Police Department, is a certified forensic examiner and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of many hundreds of hard drives, cell phones, and other items of digital evidence pursuant to criminal investigations including financial crimes, homicides, missing persons, computer intrusions, sexual assaults, child pornography, and various other crimes and testifies regularly in court about her work.

Murphy suggests that investigators need to refresh skills to understand smartphone data storage mechanisms at the hex level, to manually decode it, to directly examine databases from installed applications, and to be aware of the types of information that commercial mobile forensic tools commonly don't automatically parse.

"There have been improvements in the security of smartphone operating systems that have made data extraction and mobile device forensics more difficult," says Murphy "This has led to recent claims about the 'death' of mobile device forensics. Fortunately, the rumours of the death of mobile device forensics are greatly exaggerated. There is still plenty we can accomplish with the data we can get from commercial and open source tools available to us, there are other data extraction methods, and there are alternative data sources we can leverage."

With the popularity of BYOD work environments, organisations should be aware of the variety of risks that mobile devices can present, but most depend on MDM solutions to manage those risks, without fully testing the capabilities of those solutions, or realising their weaknesses and vulnerabilities. Murphy also points out that smartphones don't have the same security controls available that are relied upon with more traditional computing platforms.

"Also, mobile device security, no matter the operating system, depends on the users and administrators to keep the device up to date and properly configured. Smartphone users can be vulnerable to phishing, drive-by downloads, malware and spyware, no matter the operating system in place on the device, and so there is a need for well-trained and knowledgeable forensic examiners who specialise in the unique challenges the various smartphone OS's present."

Murphy is co-author of the SANS FOR585: Advanced Mobile Device Forensics course which she will be teaching at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague from the 5th to 17th of October.

The 6 day course provides the critical skills that focus on smartphones as sources of evidence, providing students with the skills needed to handle mobile devices in a forensically sound manner, manipulate locked devices, understand the different technologies, discover malware, and analyse the results for use in digital investigations by diving deeper into the file systems of each smartphone. Students will be able to obtain actionable intelligence and recover and analyse data that commercial tools often miss for use in internal investigations, criminal and civil litigation, and security breach cases.

Murphy will participate in a panel discussion "Inside Windows Phone 8: Forensic Acquisition and Analysis" alongside a number of leading speakers covering the most innovative DFIR topics at the Summit on Sunday 11th of October. For more information on the event, or to register, please visit: www.sans.org/event/dfir-prague-2015

i https://securelist.com/analysis/kaspersky-security-bulletin/68010/kaspersky-security-bulletin-2014-overall-statistics-for-2014/

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)