CYBER SECURITY DA2

Name: Sreaya.V (21BIT0098)

A1+TA1 Slot
Cyber Forensics Workshop DAY 1(13th April,2024)
#MOBILE PHONE EVIDENCES:
1.Sim
2.Internal memory
3.External memory(similar to HDD)
4.Network operator
#ANDROID ARCHITECTURE
Android architecture is built upon a modified version of the Linux kernel and is structured into five main
components:

1.Linux Kernel: Serving as the foundational layer, the Linux kernel manages device drivers, power and
memory management, as well as device and resource access.

2.Native Libraries (Middleware): Situated atop the Linux kernel, native libraries like WebKit, OpenGL,
SQLite, and others provide essential functionalities for the Android system.

3.Android Runtime: Comprising core libraries and the Dalvik Virtual Machine (DVM), the Android
Runtime executes Android applications. DVM, akin to JVM but optimized for mobile devices, ensures
efficient memory usage and swift performance.

4.Application Framework: Positioned above the native libraries and Android Runtime, the Application
Framework encompasses Android APIs for various functionalities such as UI, telephony, location, and
data management through Content Providers. It offers a rich set of classes and interfaces for app
development.

5.Applications: At the pinnacle of the architecture are applications like home, contacts, and games, which
utilize the Android framework, runtime, and libraries. These components, in turn, interact with the Linux
kernel to execute operations on Android devices.
#MOBILE FORENSICS:
i.Android-rooting
ii.Normal user,priviledge user
iii.IOS-Jail breaking

https://hub.packtpub.com/how-to-extract-sim-card-data-from-android-devices-
tutorial/

Logical extraction overview

In digital forensics, the term logical extraction is typically used to refer to extractions that don’t
recover deleted data or do not include a full bit-by-bit copy of the evidence. However, a more
correct definition of logical extraction is any method that requires communication with the base
operating system. Because of this interaction with the operating system, a forensic examiner
cannot be sure that they have recovered all of the data possible; the operating system is choosing
which data it allows the examiner to access.

In traditional computer forensics, logical extraction is analogous to copying and pasting a folder
in order to extract data from a system; this process will only copy files that the user can access
and see. If any hidden or deleted files are present in the folder being copied, they won’t be in the
pasted version of the folder.

As you’ll see, however, the line between logical and physical extractions in mobile forensics is
somewhat blurrier than in traditional computer forensics. For example, deleted data can routinely
be recovered from logical extractions on mobile devices due to the prevalence of SQLite
databases being used to store data.
Furthermore, almost every mobile extraction will require some form of interaction with the
operating Android OS; there’s no simple equivalent to pulling a hard drive and imaging it
without booting the drive.

What data can be recovered logically?

For the most part, any and all user data may be recovered logically:

• Contacts
• Call logs
• SMS/MMS
• Application data
• System logs and information

The bulk of this data is stored in SQLite databases, so it’s even possible to recover large amounts
of deleted data through a logical extraction.

Root access
When forensically analyzing an Android device, the limiting factor is often not the type of data
being sought, but rather whether or not the examiner has the ability to access the data. All of the
data listed previously, when stored on the internal flash memory, is protected and requires root
access to read. The exception to this is application data that is stored on the SD card, which will
be discussed later in this book.

Without root access, a forensic examiner cannot simply copy information from
the /data partition. The examiner will have to find some method of escalating privileges in order
to gain access to the contacts, call logs, SMS/MMS, and application data. These methods often
carry many risks, such as the potential to destroy or brick the device (making it unable to boot),
and may alter data on the device in order to gain permanence.

The methods commonly vary from device to device, and there is no universal, one-click method
to gain root access to every device. Commercial mobile forensic tools such as Oxygen Forensic
Detective and Cellebrite UFED have built-in capabilities to temporarily and safely root many
devices but do not cover the wide range of all Android devices.

The decision to root a device should be in accordance with your local operating procedures and
court opinions in your jurisdiction. The legal acceptance of evidence obtained by rooting varies
by jurisdiction.
Android SIM card extractions
Traditionally, SIM cards were used for transferring data between devices. SIM cards in the past
were used to store many different types of data, such as the following:

• User data
• Contacts
• SMS messages
• Dialed calls
• Network data
• Integrated Circuit Card Identifier (ICCID): Serial number of the SIM

• International Mobile Subscriber Identity (IMSI): Identifier that ties the SIM to a
specific user account
• MSISDN: Phone number assigned to the SIM
• Location Area Identity (LAI): Identifies the cell that a user is in
• Authentication Key (Ki): Used to authenticate the mobile network
• Various other network-specific information
With the rise in capacity of device storage, SD cards, and cloud backups, the necessity for
storing data on a SIM card has decreased. As such, most modern smartphones typically do not
store much, if any, user data on the SIM card. All network data listed previously does still reside
on the SIM, as a SIM is necessary to connect to all modern (4G) cellular networks.

As with all Android devices, though, there is no concrete stipulation that user data can’t be stored
on a SIM; it simply doesn’t happen by default. Individual device manufacturers can easily decide
to write user data to the SIM, and individual users can download applications to provide that
functionality. This means that a device’s SIM card should always be examined during a forensic
examination. It is a very quick process, and should never be overlooked.

Acquiring SIM card data

The SIM card should always be removed from the device and examined separately. While some tools
claim to read the SIM card through the device interface, this may not recover deleted data or all data
on the SIM; the only way for an examiner to be certain all data was acquired is to read the SIM
through a standalone SIM card reader with a tool that has been tested and verified.

The location of the SIM will vary by device but is typically either stored beneath the battery or in a
tray located on the side of the device. Once the SIM is removed, it should be placed in a SIM card
reader. There are hundreds of SIM card readers available in the marketplace, and all major mobile
forensics tools come with an included reader that will work with their software. Oftentimes, the
forensic tools will also support third-party SIM readers as well.

There is a surprising lack of thorough, free SIM card reading software available. Any software used
should always be tested and validated on a SIM card that has been populated with known data prior
to being used in an actual forensic investigation. Also, keep in mind that much of the free software
available works for older 2G/3G SIMs, but may not work properly on a modern 4G SIM. We used
the Mobiledit! Lite, a free version of Mobiledit!, for the following screenshots. It is available
at: http://www.mobiledit.com/downloads.

The following is a sample 4G SIM card extraction from an Android phone running version 4.4.4;
note that nothing that could be considered user data was acquired despite the SIM being used actively
for over a year, though fields such as the ICCID, IMSI, and MSISDN (own phone number) could be
useful for subpoenas/warrants or other aspects of an investigation:
SIM card extraction overview

The following screenshot highlights SMS messages on the SIM card:

The following screenshot highlights the phonebook of the SIM card:

The following screenshot highlights the phone number of the SIM card (also called the MSISDN):

SIM Security
Due to the fact that SIM cards conform to established, international standards, all SIM cards provide
the same security functionality: a 4- to 8-digit PIN. Generally, this PIN must be set through a menu
on the device. On Android devices, this setting is found at Settings | Security | Set up SIM card lock.
The SIM PIN is completely independent of any lock screen security settings and only has to be
entered when the device boots. The SIM PIN only protects user data on the SIM; all network
information is still recoverable even if the SIM is PIN locked.

The SIM card will allow three attempts to enter the PIN; if one of these attempts are correct, the
counter will reset. On the other hand, if all of these attempts are incorrect, the SIM will
enter Personal Unblocking Key (PUK) mode. The PUK is an 8-digit number assigned by the carrier
and is frequently found on documentation when the SIM is purchased. Bypassing a PUK is not
possible with any commercial forensic software; because of this, an examiner should never attempt to
enter the PIN on the device as the device will not indicate how many attempts remain before the
PUK is activated. An examiner could unwittingly PUK lock the SIM and be unable to access the
device. Forensic tools, however, will show how many attempts remain before the PUK is activated,
as seen in the previous screenshots.

Common carrier defaults for SIM PINs are 0000 and 1234. If three tries remain before activating the
PUK, an examiner may successfully unlock the SIM with one of these defaults.

Carriers frequently retain PUK keys when a SIM is issued. These may be available through a
subpoena or warrant issued to the carrier.
SIM cloning
The SIM PIN itself provides almost no additional security, and can easily be bypassed through SIM
cloning. SIM cloning is a feature provided in almost all commercial mobile forensic software,
although the term cloning is somewhat misleading. SIM cloning, in the case of mobile forensics, is
the process of copying the network data from a locked SIM onto a forensically sterile SIM that does
not have the PIN activated.

The phone will identify the cloned SIM based on this network data (typically the ICCID and IMSI)
and think that it is the same SIM that was inserted previously, but this time there will be no SIM PIN.
This cloned SIM will also be unable to access the cellular network, which makes it an effective
solution similar to Airplane Mode. Therefore, SIM cloning will allow an examiner to access the
device, but the user data on the original SIM is still inaccessible as it remains protected by the PIN.

We are unaware of any free software that performs forensic SIM cloning. It is supported by almost
all commercial mobile forensic kits, however. These kits will typically include a SIM card reader,
software to perform the clone, as well as multiple blank SIM cards for the cloning process.

PARROT OS ON VMWARE: