Professional Documents
Culture Documents
Mobile Telephony: The Next Wave in Cyber Crime: Presented in Partnership With
Mobile Telephony: The Next Wave in Cyber Crime: Presented in Partnership With
Mobile Telephony: The Next Wave in Cyber Crime: Presented in Partnership With
Agenda
Webex housekeeping notes Introductions Eoghan Casey, cmdLabs Sgt. Dan Morrissey, Sacramento Sheriffs Department Christopher Shin, VP Engineering, Cellebrite USA Cellebrite UFED + i2 Analysts Notebook demonstration Questions & Answers
Eoghan Casey
Eoghan Casey is founding partner of cmdLabs, author of the foundational book Digital Evidence and Computer Crime, and co-author of Malware Forensics. For over a decade, he has dedicated himself to advancing the practice of incident handling and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has testified in civil and criminal cases, has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. Eoghan holds a B.S. in Mechanical Engineering from the University of California at Berkeley, and an M.A. in Educational Communication and Technology from New York University. He conducts research and teaches graduate students at Johns Hopkins University Information Security Institute, and is Editor-in-Chief of Digital Investigation: The International Journal of Digital Forensics and Incident Response.
Bank Robbery
Fake banking applications for Android ZeuS in the mobile (Zitmo) Symbian and possibly BlackBerry Starts by compromising computers Captures online banking details Asks users for cell phone number and model Intercepts SMS associated with online banking Mobile transaction authentication numbers Approve unauthorized bank transactions
Financial Wars
Canadian Imperial Bank of Commerce Central archive of BlackBerry PIN messages Former executives created new company seemed to have believed [they] did not create any record of their e-mails on the [bank's] central computer systems. Alleged solicitation of employees Led to large-scale e-discovery Including mobile devices and home PCs
Terrorism
Improvised explosive devices Mobile phone connected as trigger SIM cards were not present Memory contained various IMSIs NSP provided billing details Tracked down suspects
Murder
John Gaumer Met Josie Brown on MySpace Arranged a date and killed her Victims phone provided clues Last location contradicted Gaumer Accidental voicemail from Gaumers phone thumping noises, shouting and brief bursts of a womans muffled screams
Compromised BlackBerry
Malicious program running on BlackBerry
Name Version Size Created ----------------------------------- --------- ------- -----------------------net_rim_platform_resource__en_US 4.0.2.49 2288 Thu Sep 01 15:20:30 2005 net_rim_platform_im_resource__en_US 4.0.2.49 1824 Thu Sep 01 15:20:24 2005 net_rim_app_manager 4.0.2.49 1796 Thu Sep 01 15:20:32 2005 net_rim_app_manager_console 4.0.2.49 3364 Thu Sep 01 15:20:33 2005 <edited for length> net_rim_bb_phone_app 4.0.2.49 79768 Thu Sep 01 15:23:38 2005 net_rim_bb_task_app 4.0.2.49 38732 Thu Sep 01 15:35:35 2005 InstantMessaging 4.1.7 329920 Fri Aug 12 13:54:17 2005 Smartphone 0.0 28988 Sat Jan 30 09:54:08 2010 ----------------------------------- --------- ------- -----------------------167 modules; 9282804 bytes total
MobileSpy
Forensic Acquisition
Logical acquisition Copy of files on the device, including metadata Interacts with operating system Routine backups Physical forensic acquisition Includes deleted data Little or no alteration of the device May work with damaged devices Sometimes no battery is required
Physical Acquisition
Categories of Evidence
What
Phone call database E-mail and memos SMS / MMS Internet and LAN access Visited URLs and saved pages
Who
Owner details and user accounts Contacts and cohorts Personalization (wallpaper, ringtones)
When
Calendar items File system metadata Timestamps may not be immediately visible
Where
Location information
Temporal Analysis
Chronology of events (timeline) Beware of offsets and time zones Frequency of events Who did a suspect communicate with most Confluence of events At the time of a crime, the suspect was in the same location as the victim Breaks in a pattern Victim checked voicemail every day at around 8am
Event Timelining
Analysis of activities on a mobile device
Item # 1 2 3 Time (UTC) 20:58 21:01 21:02 Description Photo taken (IMAGE_003.jpg) Sent SMS to 203-645-2774 Received SMS from 203-645-2774 Data Source My Pictures SMS SMS Comments Brick wall and grass "I have your package" "Where can we meet that is safe" "meeting place" with IMAGE_003.jpg. Photo was deleted. However, copy found in MMS log.
4 5 6 7 8 9
Sent MMS to 203-645-2774 Video taken (VIDEO_001.mp4) Call to 203-645-2774 Call to 443-451-7331 Call to 203-645-2774 Audio recorded (VOICEMSG.AMR)
10
23:56
MMS
"codeword" with VOICEMSG.AMR. Audio file deleted. However, copy found in MMS log.
Relational Analysis
Interactions Link diagrams Location of the suspect contradicts statement Evaluation of source Location where photo was taken Photograph taken by specific camera Suspects SIM card used in device
Link Diagram
Notice
This presentation is not an official presentation of the Sacramento Sheriffs Department. The opinions expressed and content are the sole responsibility of the speaker. Opinions expressed herein are not the official opinion of the Sacramento Sheriffs Department
Objectives
Look at the similarities between criminals
Text Messaging
Continues to be the #1 medium for communication
07917283010010F5040BC87238880900F10000993092516195800AE8329BFD4697D9EC37
SMS Deciphering
Fuk d4 bopz. U $N1th n U on da BB W1Fi Do not talk to the police. If you do you will have to answer to the Bottom Bitch. I own you. Fuk and $N1th are missing the letter C because the suspect pimp is a Blood Gang member and will not use anything associated with a Crip gang Member BB is not Baby, which is a common internet translation. In this context it is Bottom Bitch or the ranking prostitute of an individual Pimps stable W1Fi is wifey which, as a prostitute, means you are my possession
Similarities
The use of technology by non-technical criminals is extensive. Whether your primary transportation is a skateboard or a Mercedes Benz Communication is a necessary component for the coordination of criminal acts
Narcotics
Human Trafficking
Intelligence
Before Mobile Forensics Write down names and numbers Link people by hand to show relationships Rely on criminal data searches to link people
Phonebooks
Christopher Shin
Chris Shin is the VP Engineering for Cellebrite USA Corp since 2002 Chris has 12+ years experience in the mobile communications industry, specializing in mobile devices and forward looking technologies. Mr. Shin's experience includes acting as a liaison for all US-based carrier customers and managing multiple technical engineering projects with device original equipment manufacturers and original design manufacturers. Previous to Cellebrite, Mr. Shin acted a Member of Technical Staff at Verizon Wireless HQ, in Warren NJ. Chris holds a Bachelor of Science degree from Rutgers College of Engineering, NJ in the fields of Electrical and Computer Engineering.
Q&A
We will now take time to answer the questions you have submitted during the presentation
Contact Information
Eoghan Casey cmdLabs ecasey@cmdlabs.com Dan Morrissey Sacramento Sheriff Department dmorrissey@sacsheriff.com Christopher Shin VP Engineering, Cellebrite USA christopher@cellebriteusa.com