Project 3: Mobile Incident Response and Investigations
The mobile platform is experiencing explosive growth, and with that growth comes cyber-incident analysis and response challenges. There are several thousand types of mobile devices, with many types of interfaces, operating systems, and connectivity options. This type of environment has many implications for an incident responder. The number of devices makes it impossible to be well-versed in each one, complicating analyses. The sheer number of devices also creates a massive expense simply trying to stay abreast of the major players in the market. Complicating this further is that mobile devices can be the target of a security incident, but mobile devices can also prove to be a means to coordinate, support, or execute an attack. The nature of mobile devices presents other challenges as well, including the ability to remotely access devices and the ability to remotely wipe out evidence, an evidence destruction process that can occur rapidly in a flash memory environment.
Mobile forensics is an increasingly complex environment for investigators because of the rapid rate of innovation and adoption of new technologies, applications, and hardware. Smartphones are being used in so many ways that they have become a central focus in digital forensic investigations. The mobile platform is a forensic challenge because of the number of third-party applications found on many devices and the rapidly evolving security measures employed by device manufacturers and application developers.
In this project, you will write a 13- to 21-page white paper that describes the current state of mobile incident response and investigation. The context is that as a forensic investigator, you are providing an objective overview of mobile technology and digital forensic and incident response capabilities for a law enforcement unit that has limited experience and capability with mobile forensics.
Your white paper will describe mobile investigative challenges and the techniques and technologies available to perform mobile forensic examinations. You will also provide your perspective on the future of mobile forensics—the biggest threat to mobile forensics in years to come, and the biggest opportunity for investigators of mobile cybercrime. The most successful papers will include references to resources outside of the classroom.
There are six steps in this project. Each step focuses on one required element of the paper to be submitted at the end of this project. In Step 1, you will provide an overview of mobile technologies and cellular networks.
Your work will be evaluated using the competencies listed below.
- 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
- 1.5: Use sentence structure appropriate to the task, message and audience.
- 1.6: Follow conventions of Standard Written English.
- 1.7: Create neat and professional looking documents appropriate for the project or presentation.
- 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
- 5.1: Demonstrate best practices in organizing a digital forensic investigation.
- 6.1: Perform report creation, affidavit creation, and preparation to testify.
- 6.2: Demonstrate ability to investigate mobile technology.
Step 1: Conduct a Mobile Technology Overview
You’re ready to begin writing the white paper. The sheriff has stated that the first section should be an overview of how cellular networks operate. You decide to provide an overview of cellular networks: how mobile phones communicate with cell sites, cellular-to-cellular communication, mobile switching centers, and the base switching subsystem. You also want to cover the technology of mobile networks, including form factors of smart devices and other wireless technologies.
Submit the results of your research (three to five pages) to the sheriff (your instructor) for review and ungraded feedback. Incorporate any suggested changes. Your overview will serve as the introduction to the 13- to 21-page white paper for this project.
Since mobile technologies are constantly changing, you decide to address trends in mobile technology in the next section of your paper. You know that NIST 800-101, Revision 1, will provide a good starting point on all these topics.
Overview of Cellular Networks
Cellular networks are different from computer networks found in a typical home or office.
The two most common cellular networks are known as Code Division Multiple Access (CDMA) and Global System for Mobile Communications (GSM). CDMA is commonly found in the United States, whereas GSM is used worldwide and originated in Europe. Is your mobile device compatible with both CDMA and GSM networks? More modern devices, such as Apple’s iPhone, are compatible with both networks, while many other devices are not without replacing the SIM (subscriber identity module) card. Mobile devices are typically tied to a mobile service provider that uses one or more types of cellular networks.
Despite the differences in cellular networks, are the technology and organization of the cellular network similar and conceptually the same? What is a mobile switching center? What is the detailed process a mobile device uses to communicate with a cell site? Read the “Cellular Networks Overview” below to answer these questions.
Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics: NIST Special Publication 800-101, Revision 1): National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
- For a quick read, see this excerpt from NIST 800-101, Cellular Network Characteristics.
- Or see the complete Guidelines on Mobile Device Forensics.
Form Factors of Smart Devices and Other Wireless Technologies
Don’t mistake the compact size of a modern-day smartphone or mobile device such as a tablet for limitations in its power and capability. These devices have powerful processors, sufficient RAM, and storage that may be both internal and external, such as an SD (secure digital) card.
These devices are also multihomed in that they separately or simultaneously communicate over the cellular network and a typical home or office network. Employees may now come to the office with private internet access in their pocket, with little or no control via the information security team.
Source: Jason Howie, Flickr
As these devices pass between wireless network access points and cellular network nodes, they intelligently connect and disconnect, often without the need for user action. They are also constantly listening for known and unknown wireless networks. In addition, these devices will continually probe their preferred network list (PNL) for previously connected wireless networks and, when found, connect to the strongest signal.
What vulnerabilities are presented by this technology? What unique challenge does this present to the forensic examiner in terms of education requirements and evidence handling and location?
The resources below provide insight on the mobile devices themselves as well as their networks.
Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics: NIST Special Publication 800-101, Revision 1. National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
Step 2: Describe Trends in Mobile Technology
With the overview drafted, you now need to describe trends in mobile technology. For this step, you will address handset transmission types, mobile operating systems, challenges with mobile technology, and mobile device threats. The “trends” section would not be complete without addressing the latest in embedded device forensics.
Review this three- to five-page section of your paper for accuracy and completeness; it will serve as the second section of the final white paper.
Once you have developed this section, you are ready to move on to considerations for the forensic handling of mobile devices.
Step 3: Discuss Laws, Regulations, and the Forensic Handling of Mobile Devices
After detailing trends in mobile technology, your next step is to discuss laws and regulations governing the search and seizure of mobile devices under the Fourth Amendment to the US Constitution, including describing the mobile device forensics process, considerations for effectively handling mobile devices during an investigation, use of proper investigative techniques, types of mobile forensics tools available, and identifying where digital forensics evidence may be found on mobile devices.
It is important for you to research electronic seizure practices for complying with the Fourth Amendment when searching and seizing mobile devices. Cite reference sources in your final white paper discussion.
These subjects are important because mobile devices present unique challenges when it comes to handling and analysis, and court cases are won or lost based on the arresting officer’s understanding of legal technicalities. Review this three- to five-page section of your paper for accuracy and completeness; it will serve as the third section of the final white paper.
Upon completion of this section, you will be ready to move on to the next section of your paper: forensic tools and investigative techniques.
Step 4: Describe How to Analyze and Present Forensic Information
You have discussed your research on laws, regulations, and forensic handling. You are now ready to create the fourth section of the white paper, where you describe the analysis and presentation of forensic information.
Based on your training, you know you will need to include mobile file system analysis, techniques for bypassing security measures, and third-party applications in this section. In addition, you will address data carving, file system, and compound file analysis and the presentation of a case report.
Review this three- to five-page section of your paper for accuracy and completeness; it will serve as the fourth section of the final white paper.
You are ready to move on to a final, less-objective summary of your research on the evolving field of mobile forensics.
Step 5: List the Biggest Threat and Most Promising Technology
In the previous four steps, you have reported on a variety of topics relating to mobile forensics. You have read and reported on technologies, trends, laws, and regulations, handling, and analysis of mobile data. For the final section of your paper, the sheriff has asked for your perspective on the biggest threat posed by cyber criminals using mobile technology, and a technology that promises a solution.
Reflect on your in-class and outside readings, as well as your personal and professional experience, to respond to these questions. There are no right or wrong answers, but you should provide references for your observations. You will be attaching this one-page section to the white paper.
Step 6: Submit Completed White Paper: Mobile Incident Response and Investigations
You have collected the information needed to inform your department’s future decisions regarding mobile forensics. In this step, you will combine the five sections that you’ve written into a single, cohesive white paper. Your 13- to 21-page paper should be double-spaced, excluding images and references. Use 12-point font and APA format.
Include the following five sections:
- Overview of mobile technology, including network operations and mobile technologies
- Description of trends in mobile technology, including handset transmission types and embedded device forensics, as well as operating systems, applications, and challenges and threats to forensic investigations
- Laws, regulations, and considerations for the forensic handling of mobile devices
- Analysis and presentation of forensic information including file system analysis, techniques for working through security measures, third-party applications, and other forms of mobile data analysis
- Personal perspective on the greatest biggest threat and greatest opportunity/most promising technology in mobile forensics, based on in-class and outside readings, as well as personal/professional experience
Upon completion of the steps, submit the white paper on Mobile Incident Response and Investigations to the sheriff (your instructor) for evaluation.