Mobile Telephony: The Next Wave in Cyber Crime

Presented in partnership with

Agenda
Webex housekeeping notes Introductions Eoghan Casey, cmdLabs Sgt. Dan Morrissey, Sacramento Sheriffs Department Christopher Shin, VP Engineering, Cellebrite USA Cellebrite UFED + i2 Analysts Notebook demonstration Questions & Answers

Eoghan Casey
Eoghan Casey is founding partner of cmdLabs, author of the foundational book Digital Evidence and Computer Crime, and co-author of Malware Forensics. For over a decade, he has dedicated himself to advancing the practice of incident handling and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has testified in civil and criminal cases, has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. Eoghan holds a B.S. in Mechanical Engineering from the University of California at Berkeley, and an M.A. in Educational Communication and Technology from New York University. He conducts research and teaches graduate students at Johns Hopkins University Information Security Institute, and is Editor-in-Chief of Digital Investigation: The International Journal of Digital Forensics and Incident Response.

Bank Robbery
Fake banking applications for Android ZeuS in the mobile (Zitmo) Symbian and possibly BlackBerry Starts by compromising computers Captures online banking details Asks users for cell phone number and model Intercepts SMS associated with online banking Mobile transaction authentication numbers Approve unauthorized bank transactions

Financial Wars
Canadian Imperial Bank of Commerce Central archive of BlackBerry PIN messages Former executives created new company seemed to have believed [they] did not create any record of their e-mails on the [bank's] central computer systems. Alleged solicitation of employees Led to large-scale e-discovery Including mobile devices and home PCs

Terrorism
Improvised explosive devices Mobile phone connected as trigger SIM cards were not present Memory contained various IMSIs NSP provided billing details Tracked down suspects

Murder
John Gaumer Met Josie Brown on MySpace Arranged a date and killed her Victims phone provided clues Last location contradicted Gaumer Accidental voicemail from Gaumers phone thumping noises, shouting and brief bursts of a womans muffled screams

Compromised BlackBerry
Malicious program running on BlackBerry
Name Version Size Created ----------------------------------- --------- ------- -----------------------net_rim_platform_resource__en_US 4.0.2.49 2288 Thu Sep 01 15:20:30 2005 net_rim_platform_im_resource__en_US 4.0.2.49 1824 Thu Sep 01 15:20:24 2005 net_rim_app_manager 4.0.2.49 1796 Thu Sep 01 15:20:32 2005 net_rim_app_manager_console 4.0.2.49 3364 Thu Sep 01 15:20:33 2005 <edited for length> net_rim_bb_phone_app 4.0.2.49 79768 Thu Sep 01 15:23:38 2005 net_rim_bb_task_app 4.0.2.49 38732 Thu Sep 01 15:35:35 2005 InstantMessaging 4.1.7 329920 Fri Aug 12 13:54:17 2005 Smartphone 0.0 28988 Sat Jan 30 09:54:08 2010 ----------------------------------- --------- ------- -----------------------167 modules; 9282804 bytes total

MobileSpy

Forensic Acquisition
Logical acquisition Copy of files on the device, including metadata Interacts with operating system Routine backups Physical forensic acquisition Includes deleted data Little or no alteration of the device May work with damaged devices Sometimes no battery is required

Physical Acquisition

File System Examination

HFS+ Keyword searches File carving Screen captures

Categories of Evidence
What
Phone call database E-mail and memos SMS / MMS Internet and LAN access Visited URLs and saved pages

Who
Owner details and user accounts Contacts and cohorts Personalization (wallpaper, ringtones)

When
Calendar items File system metadata Timestamps may not be immediately visible

Where
Location information

Temporal Analysis
Chronology of events (timeline) Beware of offsets and time zones Frequency of events Who did a suspect communicate with most Confluence of events At the time of a crime, the suspect was in the same location as the victim Breaks in a pattern Victim checked voicemail every day at around 8am

Event Timelining
Analysis of activities on a mobile device
Item # 1 2 3 Time (UTC) 20:58 21:01 21:02 Description Photo taken (IMAGE_003.jpg) Sent SMS to 203-645-2774 Received SMS from 203-645-2774 Data Source My Pictures SMS SMS Comments Brick wall and grass "I have your package" "Where can we meet that is safe" "meeting place" with IMAGE_003.jpg. Photo was deleted. However, copy found in MMS log.

4 5 6 7 8 9

21:05 21:34 21:40 21:42 21:43 23:54

Sent MMS to 203-645-2774 Video taken (VIDEO_001.mp4) Call to 203-645-2774 Call to 443-451-7331 Call to 203-645-2774 Audio recorded (VOICEMSG.AMR)

MMS My Videos Call Log Call Log Call Log C:\Temp

10

23:56

Sent MMS to 203-645-2774

MMS

"codeword" with VOICEMSG.AMR. Audio file deleted. However, copy found in MMS log.

Relational Analysis
Interactions Link diagrams Location of the suspect contradicts statement Evaluation of source Location where photo was taken Photograph taken by specific camera Suspects SIM card used in device

iPhone Location Details

cells.plist cells-local.plist

Link Diagram

Sgt. Dan Morrissey

Dan Morrissey is an Intelligence Sergeant for the Sacramento County Sheriff's Department Main Jail and responsible for Gang Investigations. SGT Morrissey has been in law enforcement for 15 years with assignments in Corrections, Patrol, Narcotics and Electronic Investigations. SGT Morrissey teaches internationally and is a court recognized expert in digital evidence and mobile device investigations.

Notice
This presentation is not an official presentation of the Sacramento Sheriffs Department. The opinions expressed and content are the sole responsibility of the speaker. Opinions expressed herein are not the official opinion of the Sacramento Sheriffs Department

Objectives
Look at the similarities between criminals

Review the capabilities of mobile device forensics

Text Messaging
Continues to be the #1 medium for communication
07917283010010F5040BC87238880900F10000993092516195800AE8329BFD4697D9EC37

Difficult to understand as slang language is distinct to each criminal enterprise

SMS Deciphering
Fuk d4 bopz. U $N1th n U on da BB W1Fi Do not talk to the police. If you do you will have to answer to the Bottom Bitch. I own you. Fuk and $N1th are missing the letter C because the suspect pimp is a Blood Gang member and will not use anything associated with a Crip gang Member BB is not Baby, which is a common internet translation. In this context it is Bottom Bitch or the ranking prostitute of an individual Pimps stable W1Fi is wifey which, as a prostitute, means you are my possession

Similarities
The use of technology by non-technical criminals is extensive. Whether your primary transportation is a skateboard or a Mercedes Benz Communication is a necessary component for the coordination of criminal acts

Things Are Not What They Seem

Mortgage Fraud
Domestic Violence

Narcotics

Human Trafficking

Mobile Forensics Themes

Examine a device for evidence either linking or excluding a subject to a crime Use provider information to place a subject either at or away from a crime scene Examine devices to gather intelligence for either current or future investigations

Intelligence
Before Mobile Forensics Write down names and numbers Link people by hand to show relationships Rely on criminal data searches to link people

Phonebooks

2010 Limited Contact Study

20 Phones from NIC Property Backgrounds on each owner Called each of the listed phonebook contacts

Results of the Study

60 Days from time of arrest 82% of contacts of contacts had the same phone numbers 180 Days 40% had the same numbers If the subject had a job and were in custody on a misdemeanor contacts stayed at 95% If the subject had no job and were in custody on a felony contacts fluctuated between 18% and 40% If the owner was gang affiliated, the contacts decreased in 60 days to 57% and 180 days to 16%

First Key Point Learned

Of the gang affiliated phones 75% had at least one (1) contact arrested within the 180 day study

Second Key Point Learned

100% of all the owners called 25% or more of their contact list while incarcerated
Site Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Jail Card InmateID Phone number Number 1234567 3575501 1234567 3575501 1234567 3575501 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 1234567 4527195 3575501 3575501 3575501 3575501 8978335 6865632 6703440 3575501 3575501 3575501 3575501 3575501 3575501 3575501 5099659 6863632 53073600 3575501 3575501 3692074 3692074 3692074 3692074 3692074 3692074 3692074 CallType Prepaid collect Prepaid collect Prepaid collect Collect Prepaid collect Prepaid collect Prepaid collect Prepaid collect Admin Setup Admin Setup Admin Setup Prepaid collect Prepaid collect Prepaid collect Prepaid collect Prepaid collect Prepaid collect Prepaid collect Admin Setup Admin Setup Admin Setup Prepaid collect Prepaid collect Collect Collect Collect Collect Collect Collect Collect TalkSecs State 903 CA 859 CA 879 CA 858 CA 903 CA 181 CA 903 CA 894 CA 21 CA 60 CA 60 CA 903 CA 877 CA 847 CA 903 CA 73 CA 14 CA 903 CA 60 CA 43 CA 60 TX 698 CA 903 CA 903 CA 894 CA 883 CA 327 CA 240 CA 854 CA 875 CA Location ELK GROVE ELK GROVE ELK GROVE SACRAMENT O ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE ELK GROVE EL PASO ELK GROVE ELK GROVE SACRAMENT O SACRAMENT O SACRAMENT O SACRAMENT O SACRAMENT O SACRAMENT O SACRAMENT O

Future Phone Trends

Increase of third party GSM SIM Cards Prepaid Data phones

Christopher Shin
Chris Shin is the VP Engineering for Cellebrite USA Corp since 2002 Chris has 12+ years experience in the mobile communications industry, specializing in mobile devices and forward looking technologies. Mr. Shin's experience includes acting as a liaison for all US-based carrier customers and managing multiple technical engineering projects with device original equipment manufacturers and original design manufacturers. Previous to Cellebrite, Mr. Shin acted a Member of Technical Staff at Verizon Wireless HQ, in Warren NJ. Chris holds a Bachelor of Science degree from Rutgers College of Engineering, NJ in the fields of Electrical and Computer Engineering.

i2 Analysts Notebook + Cellebrite UFED Mobile Forensics Demonstration

Christopher Shin, VP Cellebrite USA

Q&A
We will now take time to answer the questions you have submitted during the presentation

Contact Information
Eoghan Casey cmdLabs ecasey@cmdlabs.com Dan Morrissey Sacramento Sheriff Department dmorrissey@sacsheriff.com Christopher Shin VP Engineering, Cellebrite USA christopher@cellebriteusa.com

Get the Free Whitepaper!

Contact us for more information and receive the white paper 5 Emerging Mobile Cyber Crime Trends sales.americas@i2group.com 888-546-5242 salesinfo.emea@i2group.com +44 (0) 1223 728660