Friday, 22 June 2012

iPhone forensics: Beware expert witness!

iPhone forensics is not easy as it sounds!

It is not like computer forensics whereby you could apply all sorts of techniques to process it. It is a matured field and there are thousands of references you could get from the Internet. No problem at all.

But for iPhone forensics, it is different. The process is not straightforward as you might have thought. The iOS has security features, complicated mobile phone system and the technical information is difficult to obtain.

Developing a software/tool will double your effort aka ‘headache’ because it is massive. It could be done but need proper planning.

To start with, you must have knowledge on the hardware components that make up the iPhone. Then you need to understand the software components that work together to get the iPhone operational.

This is a daunting task but iPhone Dev Team and Zdziarski have done it even though some may question whether it is forensically sound or not. 

I concur with Carrier that open source tools are better because anyone can review its source code. Just like Foremost by Kornblum et al. 

How did they do it and get all the resources mentioned above?

Most likely with sheer determination, connections, working in a team, hacking skills, equipments and etc, you could do it. Also, you may need some LUCK! Don’t dream of doing it alone with only Internet access. God bless you!

However, for basic iPhone forensics, there are two main things that you need to be familiar with,
  1. Imaging – physical or logical acquisition of data.
  2. Extraction – export of relevant data, e.g. videos and pictures.
Imaging an iPhone is easy when you have an expensive tool but without it is really a painstaking job.

But, can you clearly explain how did the commercial tool conduct the imaging and extraction of all files?

Most probably it would only be brief description and not detail enough because you are not the tool developer.

Then, how are you going to do well as an EXPERT WITNESS?

Bear in mind that the lawyers are not the ones that you met ten years ago! Some of them are tech savvy with technical qualifications and certifications. Or they could consult the other experts to go against you in the court of law (a lot of hackers/digital forensics analysts are becoming technopreneurs these days).

Imaging process of an iPhone is complicated. Just visualize it like having a separate special bootable system to access the iPhone user partition and bit-to-bit copying it.

Let’s say that you have done the imaging, then comes the file system analysis part and user data extraction. File system, container, format and timestamp expertise is essential for you (I will cover this in my next blog). It is not easy and it takes time to understand the iPhone file system. The system is huge and complicated. When the file system is corrupted, you need to resort to file CARVING.

As an EXPERT WITNESS, you are expected to explain the entire process. You can’t afford to rely on the commercial tool report alone. You should know how the tool did its work or the least you must do is to convincingly articulate the imaging and extraction concept.

I must say that tool dependent EXPERT WITNESS is going to have a tough time because you cannot 100% trust your tool. Why, because you won’t get the same results between the two tools [1]. Let me give you some examples.

I’ve used a commercial tool to get the physical image of an iPhone. The same tool retrieved some files e.g. pictures and a total of 657 jpegs were extracted. 

But, when I used a specialized carving tool on the same image, I got more jpeg files, i.e. 1242 altogether and almost double than the commercial tool did. 

What happen here? This is very interesting!

I’m not trying to assert that commercial tools aren’t good enough but merely to find the reason behind this awkward finding (I will cover this in my next blog).

It must be noted that the burden of proof (digital evidence) lies on the EXPERT WITNESS. It will not be an easy ‘journey’.

Usually, in iPhone or mobile phones forensics you need a few tools [1] to process it. There is no one dedicated tool that could do everything.

I would like to remind you again that the ability to understand the whole technology and forensic process (the principle of don’t ever change a single bit) is compulsory. If too complex, the least that you must do is to master the file system, container, format (example below), timestamp and carving.

Whatever it is, I pity the honorable judges for them to understand all these intricacies.

[1] G. Grispos, T. Storer and W. B. Glisson. “A comparison of forensics evidence recovery techniques for a windows mobile smart phone.” The Journal of Digital Investigation, pp. 23-36, 2011.

P.S. Additional info on iPhone and iPhone forensics.

iPhone Forensics Book

Mobile Phone Based Cases

Smart Phone Forensics: Strip 'em all!

Tuesday, 12 June 2012

My PhD Research: An Analytical Framework for Digital CCTV Forensic Data Recovery

For your info, my thesis title is “ An Analytical Framework for Digital CCTV Forensic Data Recovery”. This research outcome could be used in Malaysia and/or in other countries.

Not only the governments but also the households are deploying CCTVs. Therefore, there is a need for a framework to process the CCTV DVR in a case investigation.

Below is the brief abstract.

"The digital forensics process typically involves identification, preservation, analysis and presentation of evidence. Expertise in data recovery is an essential part of the digital forensics process.

Difficulties arise with digital video recorder (DVR) of a closed-circuit television (CCTV) because the manufacturers have generally developed customize and proprietary systems making the data recovery attempts by digital forensics practitioners almost impossible. It is pertinent to delve into data recovery technique of digital CCTV systems for digital forensics discipline advancement.

Hypothetically, this undertaking is achievable through forensic analysis of the video stream attributes. The contribution of this research is to develop a specialized technique and a proof-of-concept tool that is “forensically sound” to carve the video file of digital CCTV systems based on selected timestamp. This sort of reference is lacking and essentially required by the digital forensics practitioners and law enforcement agencies for their best practice guidelines."

I’ve mentioned briefly on this research in my paper “Digital Forensics Institute in Malaysia: The way forward” to be published by Digital Evidence and Electronic Signature Law Review (in progress). I’m hoping to write more this year.

Beside the framework, I’ll also develop a tool to ease the analysis because the amount of data will be typically in the range 500GByte – 1TByte.

Some surveys will be conducted with my colleagues from the Royal Malaysia Police or perhaps my friends from the Australia’s police.

Saturday, 2 June 2012

Digital Forensics in Malaysia

If you wonder what’s going on in Malaysia regarding Digital Forensics, there is a publication on it [1] by The paper was written in 2008, when digital forensics was a big ‘phenomenon’ in Malaysia.

Basically, it covered the legal framework and digital forensics operation in Malaysia.

Personally, I think this paper is important as to inform people around the world on Malaysia’s experience in this field.

When I lectured in Australia or in the UK, some of them unaware that Malaysia has digital forensics capabilities.

In fact, for your information, we had assisted Maldives’s police on one of their case.

Well, this is not to say who is good or who is bad, this notion never came across in my heart.

But most importantly is for us to work together to fight against cybercrimes. They are well coordinated and working together as one.

As a sequel or continuation, I’ve written again this year, 2012, that analysed the cyber crimes and cyber related crimes, the challenges, operation strategies, research initiatives, achievements and lastly with the proposal of a Digital Forensics Institute in Malaysia as the way forward.

This paper will be the ‘blueprint’ for my research efforts in years to come.

More technical papers will ensue based on it.

But, time is really against me.

A chat with Y.B. Senator Tan Sri Dr. Koh Tsu Koon (Minister in the Prime Minister Office) on Digital Forensics in Malaysia.

[1] Aswami Fadillah Mohd Ariffin and Izwan Iskandar Ishak, ‘Digital Forensics in Malaysia’, Digital Evidence and Electronic Signature Law Review 5 (2008), 161-165.

Below are some of the photos taken during VVIPs visit to Digital Forensics Department booth. It was on the day of CyberSecurity Malaysia launching by the Prime Minister, YAB Dato' Seri Abdullah Bin Haji Ahmad Badawi, 20 August 2007.

The PM was gesturing something (, watched by Y.B. Dato' Sri Dr. Ir. Jamaluddin Mohd. Jarjis and my CEO, Y.Bhg. Dato' Husin Jazri.

Y.B. Dato' Seri Kong Cho Ha (Transport Minister) was briefed on Digital Forensics in Malaysia. My CEO, Y.Bhg. Dato' Husin Jazri was next to him.

Y.Bhg. Tan Sri Abdul Halim Ali, Chairman
Multimedia Development Corporation (MDeC), was briefed on Digital Forensics in Malaysia. My COO, Encik Zahri Yunos was next to him.