A lot of information can be discovered by analyzing a criminal’s phone. That’s why mobile forensics and digital forensics as a whole are becoming valuable assets for law enforcement and intelligence agencies worldwide.
By analyzing the malicious processes, investigators can conclude the motivations behind the attack, along with its consequences. Let’s take a closer look.
What is mobile forensics?
Mobile forensics is the process of recovering digital evidence from mobile devices using accepted methods. Unlike traditional digital forensics processes, mobile forensics solely focuses on retrieving information from mobile devices such as smartphones, androids, and tablets. Mobile devices contain an abundance of information from text messages and web search history to location data, so they can be extremely useful for an investigation by law enforcement.
What is an example of mobile forensics?
Forensic investigators must track activities across multiple devices to get the full picture of events. For example, a hacker may have used a vulnerable device to gain access to the network and spread it across other, more sensitive devices. Investigators must know how all these devices work and interconnect to be able to accurately assess the course of events.
Why is mobile forensics important?
Mobile devices carry a significant amount of information that can be necessary to understand the full picture and scope of a digital attack, which makes mobile forensics extremely important. In 2021, there were 15 billion operating mobile devices worldwide. That’s nearly two per person. The amount of data stored across these devices is astounding. One significant difference between mobile and traditional computer forensics is that systems are no longer isolated and absolute. Commonly used devices like phones, cars, cameras, doorbells, and even refrigerators are interconnected and can operate under one network.
What are the steps in the mobile forensics process?
Investigators must follow specific guidelines for evidence to be accepted in a court of law. Here are the steps in the mobile forensics process:
Step 1: Seizure
The mobile forensics process begins with the seizure of the devices in question. Like any other evidence in a forensic investigation, the devices must be handled with great care to preserve evidence and prevent mishandling.
Step 2: Acquisition
After the device is seized and secured, it’s time to extract the evidence. That’s done by duplicating its files with a software imaging tool. The duplicate maintains the integrity of the original files and can be used as evidence for the original copy.
Step 3: Analysis
Mobile devices contain loads of data. The “analysis” step of the forensic process focuses on extracting useful and relevant data.
Step 4: Examination
Lastly, the gathered evidence must be presented to any other forensic examiners or a court that will determine its relevance to the case.
Mobile forensics use case from the SecurityScorecard forensics lab
Developed by Israel’s NSO Group, Pegasus is the most sophisticated mobile device malware. It is mainly used by nation-states for intelligence gathering. However, it is also occasionally abused for malicious activities.
What makes Pegasus so dangerous is that it is self-destructive malware, which makes it very difficult to trace. It is capable of infecting a device with no user input. All a hacker needs is their victim’s phone number. Once the malware is in the system, it can track everything from phone calls and text messages to photos and passwords.
LIFARS (now part of SecurityScorecard) is very familiar with the tradecraft associated with Pegasus attacks. We are adept at finding even the most minute evidence of these attacks, even after Pegasus has “self-destructed” and “wiped” the phone of any evidence of the penetration.
In early 2021, the LIFARS team analyzed multiple devices (iPhones) compromised by the Pegasus spyware.
In analyzing all of the devices, we used Indicators of Compromise (IoCs) that we have developed internally from our digital forensics work, as well as from collaborating with other investigators.
Here are the first suspicious processes the LIFARS team identified:
Wifi In (MB) | Wifi Out (MB) | Wan In (MB) | Wan Out (MB) | Timestamp (UTC) | Process Name |
1.6554 | 0.178541 | 0 | 0 | 2/1/2021 13:02:30 | wifip2ppd |
0.007 | 0.0019 | 0 | 0 | 2/1/2021 13:02:31 | ABSCarryLog |
29.8661 | 99.8687 | 1.2749 | 1.0464 | 2/1/2021 13:03:00 | misbrigd |
1.6548 | 0.1939 | 0 | 0 | 2/11/2021 23:31:38 | cfprefssd |
0.007 | 0.0019 | 0 | 0 | 2/11/2021 23:31:38 | gssdp |
75.6967 | 58.8612 | 7.6284 | 4.99 | 2/11/2021 23:32:04 | libbmanaged |
“misbrigd” and “libbmanaged” performed data exfiltration, meaning, these are system artifacts that show what tools the Threat Actors used to take data out from the iPhone.
The libbmanaged process was running for over a week, based on a record from the DataUsage.sqlite database:
Wifi In (MB) | Wifi Out (MB) | Wan In (MB) | Wan Out (MB) | Timestamp (UTC) | Process Name |
0 | 0 | 7.99 | 5.07 | 2/19/2021 1:16:18 | libbmanaged |
This implies not only data exfiltration, but also real time monitoring and voice recording of the victim. This is important to note, since in most attacks threat actors just want to get data and move on. This time, it seems monitoring was also part of their key objective.
Mobile forensics with SecurityScorecard
A critical component of many forensics cases is extracting information and data from mobile devices. SecurityScorecard can answer questions about:
phone calls
chat messages
images
videos
hidden stored artifacts
Geolocation GPS and EXIF metadata stored on mobile devices can also provide significant forensic value.
Methods for collection and examination are constantly changing. Our New York-based computer forensics laboratory is an industry trendsetter in the methodologies used.
The LIFARS team has conducted a large number of high-profile matters in civil and criminal proceedings, including analysis of advanced malware engineered by sophisticated state-sponsored attackers. Our digital forensics experts have played a key role in a wide range of criminal cases involving a digital element, including organized cybercrime, online money laundering schemes, cyberstalking, data breach litigation, digital extortion, ransomware hacking incidents, DDoS attacks, and more.
We conduct both – a static analysis, where all components of the malware are dissected and analyzed to understand the attack and help eliminate the infection effectively, and a dynamic analysis that examines the behavior of the malware in question.
If you’ve been involved in a mobile device attack, or suspect a breach, contact our Forensics team now.