Transcript

Bridging the gap between mobile and computer forensics

Paul Slater

Carl Barron

Mark Wootton

March 1, 2017 COPYRIGHT NUIX 2017 2

Speakers

Paul Slater

Global Head of Investigations, NuixPaul Slater is a subject matter expert with over 20 years of experience in investigations, digital forensics, and eDiscovery. Paul has held senior roles

within law enforcement, corporate and "Big 4" advisories and was a member of the review board for the Association of Chief Police Officers (ACPO)

“Good Practice Guide for Digital Evidence.” Paul also served for two years as interim head of the Digital Forensics Unit in the primary UK agency for

investigating and prosecuting serious and complex fraud, where he designed workflows and implemented technologies to enable them to process

20 times more electronic evidence each year. Paul now uses his expertise to enable Nuix customers to 'master their data' through the design, build, and implementation of digital forensic and eDiscovery solutions.

Carl Barron

Senior Solutions Consultant, NuixCarl is a Senior Solutions Consultant with Nuix, having joined the company in March 2012. He provides pre and post-sale consultancy, technical

support and solution implementation. Carl brings a wide variety of knowledge in both hardware and software with an enthusiast approach to help customers improve workflows. Prior to joining Nuix, Carl worked as a Forensic Technician for a leading Litigation Support Vendor in London.

Mark Wootton

eDiscovery Manager, Yerra SolutionsMark is an eDiscovery Manager with over 20 years of experience as an expert investigator. He specialises in the collection, examination and

presentation of electronic information as evidence for both corporate and law enforcement investigations. Mark has a skill set in complex criminal

investigations to include money laundering, fraud and financial matters and an absolute passion and drive for delivering quality evidence that

assists companies in making risk based decisions.

March 1, 2017 COPYRIGHT NUIX 2017 3

Today’s Agenda

Introduction

Survey/Poll - Growth of mobile devices

Mobile devices in Investigations

Some of the Challenges

Use Cases

Mobile devices in Nuix

Questions

March 1, 2017 COPYRIGHT NUIX 2017 4

What percentage of UK Adults now owns a smartphone?

38%

47%

71%

68%

March 1, 2017 COPYRIGHT NUIX 2017 6

In 2015 – Globally – on average how many text messages were sent?

1 Trillion each year

10 Billion each day

23 Billion each day

50 Billion over the year

March 1, 2017 COPYRIGHT NUIX 2017 7

How many minutes on average does a smartphone user spend on their phones each day?

60 minutes

225 minutes

145 minutes

90 minutes

March 1, 2017 COPYRIGHT NUIX 2017 9

Mobile statistics

March 1, 2017 COPYRIGHT NUIX 2017 10

...But what does all this have to do with Investigations?

Many 'smart' devices automatically add GEO-TAGging information to our photographs...

Exhibit 1 – Mobile phone

So we can see where

people have been…

Exhibit 2 - Map

March 1, 2017 COPYRIGHT NUIX 2017 11

...But what does all this have to do with Investigations?

Exhibit 3 – Picture Data

And when they were there....

Exhibit 4 - Suspects

Exhibit 3a – EXIF Data

And often – who they

were with!

March 1, 2017 COPYRIGHT NUIX 2017 12

Exhibit 5 – Cell Tower Analysis

And because most smart phones also track our

physical movements (either overtly or

covertly)....we can see where people have been

Exhibit 5 – Cell Tower Analysis

March 1, 2017 COPYRIGHT NUIX 2017 13

#1 Forensic Acquisition is slow and costly

Exhibit 6 - Challenges

March 1, 2017 COPYRIGHT NUIX 2017 14

#1 Forensic Acquisition is slow and costly

Exhibit 7 – Usual Suspects

?

March 1, 2017 COPYRIGHT NUIX 2017 15

#1 Forensic Acquisition is slow and costly

Forensic Acquisition Notes:

Device : iPhone 64GB

Start time : 12:00 hrs

End time : 18:00 hrs

Exhibit 21 – Phone Report

March 1, 2017 COPYRIGHT NUIX 2017 16

#2 And Difficult

March 1, 2017 COPYRIGHT NUIX 2017 17

#2 And Difficult

“On devices running iOS 8 and

later versions, your personal

data is placed under the

protection of your passcode. For

all devices running iOS 8 and

later versions, Apple will not

perform iOS data extractions in

response to government search

warrants because the files to be

extracted are protected by an

encryption key that is tied to the

user’s passcode, which Apple

does not possess.”

Apple Inc 2016

iOS Physical Acquisition

Technique only works on

jailbroken 32bit devices or 32bit

devices with known passcode

than can be jailbroken by

investigator.

*No current jailbreak for latest

version of iOS

(*accurate at time of writing)

iOS Logical Acquisition

If a passcode is known (or there

is a way of finding it out) the

investigator can cause the

device to produce an offline

backup via iTunes. This backup

can subsequently be analysed –

with some restrictions.

iCloud – “Over the Air”

Acquisition

Backups are incremental

and occur automatically

every time that the device

is locked, charging and

connected to a known WIFI

network

(all conditions must be met)

March 1, 2017 COPYRIGHT NUIX 2017 18

#2 And Difficult

March 1, 2017 COPYRIGHT NUIX 2017 19

#2 And Difficult

Sending to Manufacturer

Samsung has an official

policy to support information

extraction when serving a

Government request.

However – Android is a highly

fragmented platform with

several hundred

manufacturers – and

thousands of device models.

Physical Acquisition of

Android Devices

Success depends on:

Make, model, carrier, Android

version, user settings, root

status, lock status, whether

PIN code is known and

whether “USB debugging”

option is enabled.

“….Won’t know until you try!

JTAG Forensics

Uses Joint Test Action Group

(JTAG)port to access raw

data in the device. Often

works for locked, damaged or

otherwise inaccessible

devices.

However –if the disk is

encrypted – this process will

produce an encrypted image

Chip-Off Acquisition

Low level, destructive

acquisition via physical de-

soldering of memory chips

and specialised hardware to

read device contents. If

encryption has not been

enabled it will produce a full

binary image – including

unallocated space

NANDroid Backups

For rooted devices – this

process can extract a full

file system of the device by

generating a NANDroid

backup – created by

booting the device into a

custom recovery mode.

March 1, 2017 COPYRIGHT NUIX 2017 20

#3 Computers and mobile devices are often examined separately

Exhibit 10 - Seized Items

March 1, 2017 COPYRIGHT NUIX 2017 21

#3 Computers and mobile devices are often examined separately

Exhibit 32 - Report(s) from phones

Exhibit 21 - Report(s) from computers

March 1, 2017 COPYRIGHT NUIX 2017 22

#3 Computers and mobile devices are often examined separately

Which can make it

almost impossible

to identify and

review evidence

and identify

intelligence across

multiple data

sources, devices

and crime scenes...Exhibit 34 – map showing crime scenes

March 1, 2017 COPYRIGHT NUIX 2017 23

But what does all this have to do with Nuix?!

March 1, 2017 COPYRIGHT NUIX 2017 24

Single Pane of Glass view into all the data

Whilst we are not quite at Minority

Report just yet…….…BUT

Case Studies

March 1, 2017 COPYRIGHT NUIX 2017 26

Case Studies

Expenses Fraud

– Person utilising work related mobile device and laptop to

continue about their normal work. They submit claims /

expenses for multiple trips for fuel consisting of several

hundred pounds a week for over a year.

– The download of the phone linked to location data provided

evidence to support they were not where they claimed to be

at a specific time.

– This cross referenced with other information to

include internet activity from their laptop demonstrated they

were on the internet when alleged they had travelled.

March 1, 2017 COPYRIGHT NUIX 2017 27

Case Studies

WhatsApp Chat

– Examination of multiple devices linked to suspects

involved in fraudulent activity. ”WhatsApp” messages

identifies banking information, location information and

images shared linked to the fraud.

– By creating a timeline of events you could see across

multiple phones the movement of suspects to agreed

locations for the drop of goods and the ultimate collection

of money.

March 1, 2017 COPYRIGHT NUIX 2017 28

Case Studies

Linking activity across devices/platforms

– Examination of activity from an iPad, iPhone

and iTouch.

– Identified they had wiped their mobile phone,

however - the iPad & iTouch linked to the

phone also recorded the Internet activity & call

records.

– iPhone "Handoff" enabled, therefore calls made

on mobile phone, could have come through

iTouch, iPad, Mac, etc.

Mobile Devices in Nuix

March 1, 2017 COPYRIGHT NUIX 2017 30

In summary

• Mobile device usage will keep on growing –

investigators need to be prepared

• Current methods and tools make it lengthy,

difficult or just not possible to see the

complete picture of the case

• Nuix supports mobile device extractions – just

like any data type

• Link people with objects, locations and events

across all the digital evidence

• Reduce mobile device processing backlogs,

triage and solve cases faster

March 1, 2017 COPYRIGHT NUIX 2017 31

Questions

?