Dr Raymond Choo, Cloud Security Alliance - Mobile devices and their implications for forensic investigations in Australia

25 %
75 %
Information about Dr Raymond Choo, Cloud Security Alliance - Mobile devices and their...

Published on March 13, 2014

Author: informaoz



Dr Raymond Choo, Research Director, Cloud Security Alliance and Senior Lecturer, School of Information Technology and Mathematical Sciences, University of South Australia delivered the presentation at the 2014 Police Technology Forum.

The Police Technology Forum 2014 seeks to address technology innovation, evolution and development within Australia’s law enforcement industry.

In two days, a panel of experts gather to examine opportunities, initiatives and issues facing organisations both in front line policing as well as in wider law enforcement industry, including transport, border protection and surveillance.

For more information about the event, please visit:

Police Technology Forum Mobile devices and their implications for forensic investigations in Australia Dr Kim-Kwang Raymond Choo Information Assurance Research Group University of South Australia

How many of us do NOT have at least one smart mobile device (e.g. Android, iOS – iPhone or iPad, Windows and Blackberry)? Differences between a smart mobile device and a PC/”traditional” laptop? • Apps (other than a Windows 8 PC or laptop)? – What are the types of apps you have installed on your devices? Email, Cloud Storage (e.g. Dropbox), Social networking, VoIP, etc … ? Poll


How many of us READ / RESEARCH the type of permissions apps are asking for at the time of installation? 4 Do you know what your apps have just requested for?

What do mobile apps have to do with forensic investigations? 1.What is the best method of identifying app usage on a smart mobile device? 2.Do you know what data / remnants remains on a smart mobile device after the user has used one or more apps? Mobile apps and forensic investigations

Part I: Cloud Forensics Part II: Mobile Device and App Forensics Part III: Data Reduction Framework

• Potentially more difficult to acquire and analyse digital evidence to the same standards as that currently expected for traditional server-based systems, such as • An exact and verifiable digital copy of the users’ data must be made; • Identifying and copying the contents of the RAM of the virtualised environment; • There must be provenance; • Evidence of intent must be proved; • Data must be analysed and processed in accordance with the prevailing rules of evidence; and • Evidence must be preserved and made available for examination by the defendant’s legal team. • Examination and analysis using digital forensics tools such as Encase®, FTK™ and XRY™ will need to be augmented by “translators” which convert popular cloud computing file formats into data files for processing. Challenges of cloud forensics

“little guidance exists on how to acquire and conduct forensics in a cloud environment” (National Institute of Standards and Technology 2011, p.64) “[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and often outdated. There are no guidelines specific to evidence gathered in the cloud…” (Birk and Wegener 2011, p.9) “[m]ore research is required in the cyber domain, especially in cloud computing, to identify and categorize the unique aspects of where and how digital evidence can be found. End points such as mobile devices add complexity to this domain. Trace evidence can be found on servers, switches, routers, cell phones, etc” by previous Director of US Department of Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15) Need for evidence-based digital forensic framework to guide investigations, which is • Flexible/generic enough to be able to work with future providers offering new services, yet • Be able to step an investigation through a formalized process to ensure information sources are identified and preserved. Challenges of cloud forensics

Iterative 1. Commence (Scope) Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise. 2. Identification and Preservation It is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is combined with identification in this model. 3. Collection The potential difficulties in collection of cloud computing data dictates the requirement for collection to be represented as a separate step. 4. Examination and Analysis Examination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this data into evidence. 5. Reporting and Presentation This step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged. 6. Feedback and Complete This step relates to a review of the findings and a decision to finalise the case or expand the analysis. Adapted from Martini and Choo (2012) and Quick and Choo (2013); and appeared in Quick, Martini and Choo (2014) Our published cloud forensics framework

• The initial focus of our research has been in the area of Storage as a Service (StaaS). • Client analysis: Three popular public storage clients have been analysed across both PC and mobile devices. • Client and server analysis: One of the preeminent open source cloud storage products (ownCloud) has also been analysed. – Australia’s Academic and Research Network (with over one million end users from 38 Australian universities, CSIRO and other academic, research and education institutions) is deploying ownCloud as the basis for its CloudStor+ service. Cloud forensics

System tray link RAM password cleartext DBAN Dropbox Yes Yes No Microsoft Skydrive Yes (but not full access to an account) Yes No Google Drive Yes Yes (and also on HDD) No Eraser/CCleaner Configuration files Mobile Dropbox Remnants Yes (Old) / Encrypted (New) Browser Microsoft Skydrive Remnants Yes Browser Google Drive Remnants Yes Browser Cloud forensics A snapshot of our findings from the client analysis

Cloud forensics Our recent book For our new book entitled “Cloud Storage Forensics, 1st Edition”, please visit The book’s forewords are written by Australia’s Chief Defence Scientist and the Chair of Electronic Evidence Specialist Advisory Group, Senior Managers of Australian and New Zealand Forensic Laboratories.

• Examine other cloud services to determine the best practices for forensic extraction and analysis on these platforms as there will most certainly be variation in the collection methods in each type of cloud platform and deployment model Cloud forensics Ongoing Work

Part I: Cloud Forensics Part II: Mobile Device and App Forensics Part III: Data Reduction Framework

• iOS Forensics – Develop a practitioner-based iOS forensic technique to identify and acquire deleted data from an HFS Plus volume in an iOS device. – The technique also allows forensic practitioners to verify the timestamps of the recovered image file. – iOS Forensics

Cloud and Mobile Forensics Ongoing Work

• iOS Anti-Forensics – “Concealment” technique to enhance the security of non-protected (Class D) data that is at rest on iOS devices, – “Deletion” technique to reinforce data deletion from iOS devices, and – “Insertion” technique to insert data into iOS devices surreptitiously that would be hard to pick up in a forensic investigation. iOS anti-forensics Ariffin A, D'Orazio C, Choo K-K R and Slay J 2013. iOS Forensics: How can we recover deleted image files with timestamp in a forensically sound manner?. In International Conference on Availability, Reliability and Security (ARES 2013) (pp. 375–382), University of Regensburg, Germany, 2 – 6 September 2013 D’Orazio C, Ariffin A and Choo K-K R 2014. iOS anti-forensics: How can we securely conceal, delete and insert data?. In 47th Annual Hawaii International Conference on System Sciences (HICSS 2014), pp. 4838–4847, 6–9 January 2014, IEEE Computer Society Press

Aim: To examine ten popular freely available Android VoIP apps to determine whether voice and text communications using these applications are encrypted. What this study is not about …  • Motivations: – VoIP and video chat from smart mobile devices are an increasingly popular choice for consumers. It is important to understand the limitations of these technologies. • App-to-app communication channel • Wi-Fi network to Wi-Fi network • Mobile data network to mobile data network • Mobile data network to Wi-Fi network • Wi-Fi network to mobile data network 18 VoIP apps

VoIP Apps Text communication encrypted? (Yes/No) Cluster in Histogram Analysis Entropy Analysis Voice communication encrypted? (Yes/No) Sample1 Sample2 Sample1 Sample 2 Skype Yes No No Steady Steady with sudden changes Yes Google Talk Yes No No Gradual change Gradual change Yes ICQ Yes Yes Yes Uneven Steady changes No Viber Yes Yes Yes High fluctuation High fluctuation No Nimbuzz Yes Yes Yes Steady changes Steady changes Yes Yahoo No (messages sent by user) Yes (messages received by user) No No High fluctuations in the beginning High fluctuation No Fring Yes Yes Yes High fluctuation High fluctuation No Vonage Yes Yes Yes Steady with few spikes Steady with few spikes No WeChat Yes Yes Yes Even and uneven Even and uneven No Tango Yes No No High fluctuation Steady changes Yes Android VoIP apps

Android VoIP Apps Encryption of Text/ Voice Communication Channel w2w m2m m2w w2m Skype Text Y Y Y Y Voice Y Y Y Y Google Hangout Text - Y Y Y Voice - Y Y Y ICQ Text Y Y Y Y Voice N N N N Viber Text Y Y Y Y Voice N N N N Nimbuzz Text Y Y Y Y Voice Y Y Y Y Yahoo Text N N N N Voice N N N N Fring Text Y N N N Voice N N N N Vonage Text Y N N N Voice N N N N Wechat Text Y Y Y Y Voice N N N N Tango Text Y Y Y Y Voice Y N N N These three VoIP apps might be silently turning off encryption whenever a mobile network is involved. Android VoIP apps Azfar A, Choo K-K R and Liu L 2014. A study of ten popular Android mobile VoIP applications: Are the communications encrypted?. In 47th Annual Hawaii International Conference on System Sciences (HICSS 2014), pp. 4858–4867, 6–9 January 2014, IEEE Computer Society Press

Windows event forensic process (WinEFP) Do Q, Martini B, Looi J M J, Wang Y and Choo K-K R 2014. Windows Event Forensic Process (WinEFP). In IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, IFIP Advances in Information and Communication Technology, Springer-Verlag, 8 – 10 January [In press]

Mobile forensics : A rat race Mobile forensics: A race not only to keep up with device (i.e. hardware) and software (e.g. app and operating systems) releases by providers, but also from software and hardware modifications made by end users, particularly serious and organised criminals, to complicate or prevent the collection and analysis of digital evidence. • ‘Thousands of encrypted phones are believed to be in Australia and the officials say some of the phones are suspected of being used to send the most dangerous messages imaginable - those that lead to murder … [and] Police believe one of Australia's most violent outlaw bikers used uncrackable encrypted phones to order some of the shootings that have rocked Sydney’ (Australian Broadcasting Corporation 2014). • NSW Crime Commission’s 2012-2013 annual report stated that ‘[a]s in the last reporting period, criminal groups continue to exploit mobile-phone encryption methods. Some companies, which appear to be almost exclusive set-up to supply criminal networks, provide mobile-phones for around $2,200 … The Commission believes the phones are almost exclusively used by criminals and there are limited legitimate users for such heavily encrypted phones in the wider community’.

Part I: Cloud Forensics Part II: Mobile Device and App Forensics Part III: Data Reduction Framework

Digitalisation of data 1. Increasing data volume and cost implications 2. Digital forensic practitioners, especially those in government and law enforcement agencies, will continue to be under pressure to deliver more with less especially in today’s economic landscape. This gives rise to a variety of needs, including • a more efficient method of collecting and preserving evidence, • a capacity to triage evidence prior to conducting full analysis, • reduced data storage requirements, • an ability to conduct a review of information in a timely manner for intelligence, research and evidential purposes, • an ability to archive important data, • an ability to quickly retrieve and review archived data, and • a source of data to enable a review of current and historical cases (intelligence, research, and knowledge management).

Data reduction framework for digital forensic evidence storage, intelligence, review and archive Initial research with sample data from South Australia Police Electronic Crime Section and Digital Corpora forensic images using our proposed framework resulted in significant reduction in the storage requirements – the reduced subset is only 0.196% and 0.75% respectively of the original data volume. Quick D and Choo K-K R. Data reduction framework for digital forensic evidence storage, review and archive. Trends & Issues in Crime and Criminal Justice [In press, accepted 11 March 2014]

Dr. Kim-Kwang Raymond Choo 2009 Fulbright Scholar Research Director, Cloud Security Alliance, Australia Chapter Senior Lecturer, School of Information Technology & Mathematical Sciences, University of South Australia URL: Email: Google Scholar:

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Raymond Choo - Google+

Cloud Security Alliance (CSA) Cloud Forensics Capability ... model to facilitate forensic investigations of mobile devices ... Dr. Raymond Choo ...
Read more

Raymond Choo - Google Sites

... Cloud Security Alliance Asia ... Embedded Device Forensics and Security: ... and Dr Kim-Kwang Raymond Choo, Australian National ...
Read more

Cloud Security Alliance

... digital forensic investigations in the cloud ... Cloud Security Alliance Top Threats ... a roadmap to meet the security needs of their ...
Read more

Cloud Storage Forensics, 1st Edition | Darren Quick, Ben ...

... Cloud Storage Forensics, ... Raymond Choo. Dr Kim-Kwang Raymond Choo is a Fulbright Scholar and Senior ... Cloud Security Alliance, Australia Chapter.
Read more Cloud Storage Forensics (9780124199705 ...

... (9780124199705): Darren Quick, Ben Martini, Raymond Choo ... legal implications of cloud storage forensic ... Mobile Security for ...
Read more

The Future of Police Technology - Security Solutions ...

The Future of Police Technology. ... Cloud Security Alliance, ... presented on mobile devices and their implications for forensic investigations in ...
Read more

Cloud Storage Forensics - Quick Darren, Martini Ben, Choo ...

... Choo Raymond edito da Syngress ... in Information Security? book series and six Australian Government ... of cloud storage forensic investigations ;
Read more

Cloud Storage Forensics BY Raymond Choo Free Shipping ...

Cloud Storage Forensics by Raymond Choo. Free Shipping. | Add to watch list. Seller information ...
Read more