Scribd Logo
Upload

Welcome to Scribd!

  • 19 views

    IRM 9 SmartphoneMalware

    Uploaded by

    taek
    1. The document outlines a 6-step methodology for handling incidents involving malware on smartphones: Preparation, Identification, Containment, Remediation, Recovery, and Aftermath. 2. The Identification step involves detecting suspicious smartphone activity, notifying parties, and gathering evidence. Containment aims to mitigate effects by backing up data, removing the battery, and launching antivirus checks. 3. Remediation takes actions to remove threats using forensic tools and restoring data from trusted sources once investigations are complete. Recovery wipes infected smartphones to factory settings to restore normal operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    IRM 9 SmartphoneMalware

    Uploaded by

    taek
    19 views2 pages
    1. The document outlines a 6-step methodology for handling incidents involving malware on smartphones: Preparation, Identification, Containment, Remediation, Recovery, and Aftermath. 2. The Identification step involves detecting suspicious smartphone activity, notifying parties, and gathering evidence. Containment aims to mitigate effects by backing up data, removing the battery, and launching antivirus checks. 3. Remediation takes actions to remove threats using forensic tools and restoring data from trusted sources once investigations are complete. Recovery wipes infected smartphones to factory settings to restore normal operations.

    Original Description:

    Original Title

    IRM-9-SmartphoneMalware

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1. The document outlines a 6-step methodology for handling incidents involving malware on smartphones: Preparation, Identification, Containment, Remediation, Recovery, and Aftermath. 2. The Identification step involves detecting suspicious smartphone activity, notifying parties, and gathering evidence. Containment aims to mitigate effects by backing up data, removing the battery, and launching antivirus checks. 3. Remediation takes actions to remove threats using forensic tools and restoring data from trusted sources once investigations are complete. Recovery wipes infected smartphones to factory settings to restore normal operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    19 views2 pages

    IRM 9 SmartphoneMalware

    Uploaded by

    taek
    1. The document outlines a 6-step methodology for handling incidents involving malware on smartphones: Preparation, Identification, Containment, Remediation, Recovery, and Aftermath. 2. The Identification step involves detecting suspicious smartphone activity, notifying parties, and gathering evidence. Containment aims to mitigate effects by backing up data, removing the battery, and launching antivirus checks. 3. Remediation takes actions to remove threats using forensic tools and restoring data from trusted sources once investigations are complete. Recovery wipes infected smartphones to factory settings to restore normal operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Preparation

    1 Identification
    2 Containment
    3
    Objective: Establish contacts, define Objective: Detect the incident, determine its Objective: Mitigate the attack’s effects on the
    procedures, and gather information to save scope, and involve the appropriate parties. targeted environment.
    time during an attack.

    ■ Mobile helpdesk must have a defined process Main points of notification for suspicious ■ Ensure user is given a temporary or new
    in case of a suspected malware infection: smartphone: permanent device to avoid any time constraint
    replace the smartphone of the user with a new on the investigation.
    one and isolate the suspicious device for ■ Antivirus raises alerts;
    analysis by the forensic investigator. ■ Unusual system activity, unusually slow ■ Back up the smartphone data.
    system;
    ■ A good knowledge of the usual activity of the ■ Unusual network activity, very slow Internet ■ Remove battery to block all activity (wifi,
    smartphone is appreciated (default and extra connection; Bluetooth, etc).
    tools running on it). A smartphone support ■ The system reboots or shutdowns without
    expert can be helpful to assist the forensic
    investigator.
    reason; ■ Launch an antivirus check on the computers
    ■ Some applications crash unexpectedly; that are/have been synchronized or linked with
    ■ A monitoring should be done to check unusual ■ User receive one or multiple messages, some the smartphone.
    user bill or network activity. could have unusual characters (SMS, MMS,
    Bluetooth messages, etc.); ■ Send the suspicious smartphone and
    ■ Huge increase in phone bill or web activity. appropriate components (SIM, battery, power
    cable, memory cards) to your security incident
    ■ Unusual calls to unusual phone numbers or at response team. This team will help to isolate
    unusual hours/days. the malicious content and send it to antivirus
    companies.
    Evidence such as website URLs need to be
    gathered.

    Ask the user about his/her usual activity on the


    smartphone: which websites are browsed, which
    external applications are installed. This information
    can optionally be cross-checked with the
    company’s policy.
    Remediation Recovery
    4 5
    Objective: Take actions to remove the threat Objective: Restore the system to normal Incident Response Methodology
    and avoid future incidents. operations.

    If some encryption or password accesses are set, If user needs to recover from the infected support, define
    find out a way to get access to the stored data. If a quarantine period and appropriate anti-virus check, if
    this is not possible, the investigation will suffer high possible, to ensure nothing could harm user or the
    IRM #9
    limitations. company’s systems.

    Restore the data saved previously from a trusted source Malware on smartphone
    Specific tools should be used by your incident on the destination device. How to handle a suspicious smartphone
    response team to lead forensic investigation on the
    ___________________________________________________
    smartphone. Once the investigations are over, wipe the infected IRM Author: CERT SG / Julien Touche
    smartphone (if possible) and reset it to factory settings IRM version: 1.2
    Just for information, here is a short list of tools with a pristine firmware and file system, in order to be
    which can be useful: used again. E-Mail: cert.sg@socgen.com
    Web: https://cert.societegenerale.com
    Twitter: @CertSG
    Free tools: XDA Utils (Windows Mobile), MIAT
    (Mobile Internal Acquisition Tool – Symbian,
    Windows Mobile), TULP2G, Blackberry Desktop
    Manager
    Aftermath
    6 Abstract
    Commercial tools: XRY, Cellebrite, Paraben … Objective: Document the incident’s details, This Incident Response Methodology is a cheat sheet dedicated
    to handlers investigating on a precise security issue.
    discuss lessons learned, and adjust plans and Who should use IRM sheets?
    Actions: defences.  Administrators
     Security Operation Center
    ■ Remove SIM from the smartphone if not Report


    CISOs and deputies
    CERTs (Computer Emergency Response Team)
    already done;
    ■ Recover phone history, web history and all An incident report should be written and made Remember: If you face an incident, follow IRM, take notes
    available logs; available to all of the actors. and do not panic. Contact your CERT immediately if
    needed.
    ■ Recover server connections log if The following themes should be described:
    available;
    ■ Initial detection
    ■ Identify and remove the threat on the
    smartphone. ■ Actions and timelines Incident handling steps
    ■ If the threat is related to an installed ■ What went right 6 steps are defined to handle security Incidents

    application, identify its location on Internet ■ What went wrong  Preparation: get ready to handle the incident
    and remove it. ■ Incident cost
     Identification: detect the incident
     Containment: limit the impact of the incident
     Remediation: remove the threat
    Capitalize  Recovery: recover to a normal stage
     Aftermath: draw up and improve the process
    Actions to improve the smartphone policy should
    be defined to capitalize on this experience. IRM provides detailed information for each step.
    Debrief the incident with user to improve his
    awareness of security problems. This document is for public use

    You might also like