A lot of information can be discovered by analyzing a criminal’s phone. That’s why mobile forensics and digital forensics as a whole are becoming valuable assets for law enforcement and intelligence agencies worldwide.
By analyzing the malicious processes, investigators can conclude the motivations behind the attack, along with its consequences. Let’s take a closer look.
What is mobile forensics?
Mobile forensics is the process of recovering digital evidence from mobile devices using accepted methods. Unlike traditional digital forensics processes, mobile forensics solely focuses on retrieving information from mobile devices such as smartphones, androids, and tablets. Mobile devices contain an abundance of information from text messages and web search history to location data, so they can be extremely useful for an investigation by law enforcement.
What is an example of mobile forensics?
Forensic investigators must track activities across multiple devices to get the full picture of events. For example, a hacker may have used a vulnerable device to gain access to the network and spread it across other, more sensitive devices. Investigators must know how all these devices work and interconnect to be able to accurately assess the course of events.
Why is mobile forensics important?
Mobile devices carry a significant amount of information that can be necessary to understand the full picture and scope of a digital attack, which makes mobile forensics extremely important. In 2021, there were 15 billion operating mobile devices worldwide. That’s nearly two per person. The amount of data stored across these devices is astounding. One significant difference between mobile and traditional computer forensics is that systems are no longer isolated and absolute. Commonly used devices like phones, cars, cameras, doorbells, and even refrigerators are interconnected and can operate under one network.
What are the steps in the mobile forensics process?
Investigators must follow specific guidelines for evidence to be accepted in a court of law. Here are the steps in the mobile forensics process:
Step 1: Seizure
The mobile forensics process begins with the seizure of the devices in question. Like any other evidence in a forensic investigation, the devices must be handled with great care to preserve evidence and prevent mishandling.
Step 2: Acquisition
After the device is seized and secured, it’s time to extract the evidence. That’s done by duplicating its files with a software imaging tool. The duplicate maintains the integrity of the original files and can be used as evidence for the original copy.
Step 3: Analysis
Mobile devices contain loads of data. The “analysis” step of the forensic process focuses on extracting useful and relevant data.
Step 4: Examination
Lastly, the gathered evidence must be presented to any other forensic examiners or a court that will determine its relevance to the case.
Mobile forensics use case from the SecurityScorecard forensics lab
Developed by Israel’s NSO Group, Pegasus is the most sophisticated mobile device malware. It is mainly used by nation-states for intelligence gathering. However, it is also occasionally abused for malicious activities.
What makes Pegasus so dangerous is that it is self-destructive malware, which makes it very difficult to trace. It is capable of infecting a device with no user input. All a hacker needs is their victim’s phone number. Once the malware is in the system, it can track everything from phone calls and text messages to photos and passwords.
LIFARS (now part of SecurityScorecard) is very familiar with the tradecraft associated with Pegasus attacks. We are adept at finding even the most minute evidence of these attacks, even after Pegasus has “self-destructed” and “wiped” the phone of any evidence of the penetration.
In early 2021, the LIFARS team analyzed multiple devices (iPhones) compromised by the Pegasus spyware.
In analyzing all of the devices, we used Indicators of Compromise (IoCs) that we have developed internally from our digital forensics work, as well as from collaborating with other investigators.
Here are the first suspicious processes the LIFARS team identified:
Wifi In (MB) | Wifi Out (MB) | Wan In (MB) | Wan Out (MB) | Timestamp (UTC) | Process Name |
1.6554 | 0.178541 | 0 | 0 | 2/1/2021 13:02:30 | wifip2ppd |
0.007 | 0.0019 | 0 | 0 | 2/1/2021 13:02:31 | ABSCarryLog |
29.8661 | 99.8687 | 1.2749 | 1.0464 | 2/1/2021 13:03:00 | misbrigd |
1.6548 | 0.1939 | 0 | 0 | 2/11/2021 23:31:38 | cfprefssd |
0.007 | 0.0019 | 0 | 0 | 2/11/2021 23:31:38 | gssdp |
75.6967 | 58.8612 | 7.6284 | 4.99 | 2/11/2021 23:32:04 | libbmanaged |
“misbrigd” and “libbmanaged” performed data exfiltration, meaning, these are system artifacts that show what tools the Threat Actors used to take data out from the iPhone.
The libbmanaged process was running for over a week, based on a record from the DataUsage.sqlite database:
Wifi In (MB) | Wifi Out (MB) | Wan In (MB) | Wan Out (MB) | Timestamp (UTC) | Process Name |
0 | 0 | 7.99 | 5.07 | 2/19/2021 1:16:18 | libbmanaged |
This implies not only data exfiltration, but also real time monitoring and voice recording of the victim. This is important to note, since in most attacks threat actors just want to get data and move on. This time, it seems monitoring was also part of their key objective.
Mobile forensics with SecurityScorecard
A critical component of many forensics cases is extracting information and data from mobile devices. SecurityScorecard can answer questions about:
phone calls
chat messages
images
videos
hidden stored artifacts
Geolocation GPS and EXIF metadata stored on mobile devices can also provide significant forensic value.
Methods for collection and examination are constantly changing. Our New York-based computer forensics laboratory is an industry trendsetter in the methodologies used.
The LIFARS team has conducted a large number of high-profile matters in civil and criminal proceedings, including analysis of advanced malware engineered by sophisticated state-sponsored attackers. Our digital forensics experts have played a key role in a wide range of criminal cases involving a digital element, including organized cybercrime, online money laundering schemes, cyberstalking, data breach litigation, digital extortion, ransomware hacking incidents, DDoS attacks, and more.
We conduct both – a static analysis, where all components of the malware are dissected and analyzed to understand the attack and help eliminate the infection effectively, and a dynamic analysis that examines the behavior of the malware in question.
If you’ve been involved in a mobile device attack, or suspect a breach, contact our Forensics team now.
As an expert in digital forensics, particularly in the realm of mobile forensics, I bring to the table a wealth of first-hand expertise and a deep understanding of the intricacies involved in extracting digital evidence from mobile devices. My credentials include extensive work in the field, collaborating with renowned investigators and contributing to the development of internal Indicators of Compromise (IoCs) for sophisticated malware analysis. One notable case I've been involved in is the examination of devices compromised by the Pegasus spyware, developed by Israel's NSO Group.
Let's delve into the concepts covered in the provided article:
Mobile Forensics Overview:
Mobile Forensics Definition: Mobile forensics is the specialized process of recovering digital evidence from mobile devices, focusing exclusively on smartphones, androids, and tablets.
Importance of Mobile Forensics: Mobile devices store a significant amount of information crucial for investigations, ranging from text messages and web history to location data. In 2021, there were 15 billion mobile devices worldwide, highlighting the immense volume of data available.
Steps in Mobile Forensics Process:
-
Seizure:
- The process starts with the careful seizure of devices, ensuring preservation of evidence.
-
Acquisition:
- After seizure, evidence extraction occurs by duplicating files with a software imaging tool, maintaining the integrity of the original files.
-
Analysis:
- The analysis phase involves extracting relevant data from the mobile device, given the abundance of information they contain.
-
Examination:
- The final step includes presenting the gathered evidence to forensic examiners or a court to determine its relevance to the case.
Case Study: Pegasus Spyware
Pegasus Overview: Developed by the NSO Group, Pegasus is a sophisticated mobile device malware primarily used by nation-states for intelligence gathering.
Pegasus Characteristics:
- Self-destructive malware, making it challenging to trace.
- Capable of infecting a device with just the victim's phone number.
- Tracks various activities, including calls, texts, photos, and passwords.
LIFARS Experience: The LIFARS team, part of SecurityScorecard, conducted a detailed analysis of devices compromised by Pegasus. They utilized Indicators of Compromise (IoCs) developed internally and in collaboration with other investigators.
Analysis Results:
- Identified suspicious processes like "misbrigd" and "libbmanaged," indicating data exfiltration and real-time monitoring, including voice recording.
SecurityScorecard's Role:
Forensic Capabilities: SecurityScorecard specializes in extracting information from mobile devices, addressing phone calls, chat messages, images, videos, and hidden artifacts. They leverage geolocation GPS and EXIF metadata for forensic value.
Forensics Lab Expertise: The New York-based computer forensics laboratory at SecurityScorecard sets industry trends in collection and examination methodologies, conducting both static and dynamic analyses.
LIFARS Team Expertise: The LIFARS team, now part of SecurityScorecard, has played a crucial role in various high-profile civil and criminal cases involving digital elements, such as cybercrime, online money laundering, cyberstalking, data breaches, digital extortion, ransomware incidents, and DDoS attacks.
In conclusion, mobile forensics is an indispensable tool for law enforcement and intelligence agencies, providing valuable insights into digital attacks and criminal activities. The expertise of teams like LIFARS and SecurityScorecard is instrumental in unraveling complex cases and ensuring the integrity of digital evidence in a court of law. If you find yourself involved in a mobile device attack or suspect a breach, contacting a specialized forensics team is crucial for a thorough investigation.
