Mobile Devices Forensics (6) Flashcards
What is meant by ‘mobile phone and embedded systems’?
Systems that have CPU, RAM, non-volatile storage, peripherals and user interfaces. (Like any other computer systems)
BUT
There are often stricter constraints on memory, storage, processing power and power consumption.
Interface is often limited. Buttons instead of keyboard, individual LEDs instead of displays, etc.
Many of the smaller systems have all components on one die and are called System-on-a-Chip (SoC)
Name some popular instruction set architectures.
AVR:
Used in Arduino and other microcontrollers. (8-bit RISC)
8051:
Old and dirt cheap
ARM:
Modern and highly used, 32-bit or 64-bit RISC. In practically every phone.
ARC:
For SoCs. Much used in IoT. Shipped in more than 1.5 billion products per year.
What are SIM-cards?
SIM is short for Subscriber Identity Module and:
- Contains keys for authentication and encryption
- Contains storage for contacts and SMS (most phones today do not utilize this storage)
When we speak of SIM-cards, we are actually talking about UICC, which is a smart card that contains a SIM-circuit.
eSIM is an embedded SIM without a physical card and can be provisioned remotely.
How can broadband cellular network technologies such as 4G be used to track the position of mobile phones?
Base stations often have several sectors with directional antennas.
By checking the base station that the mobile is connected to, we can get a rough direction and max distance.
It is also possible to triangulate the position of the mobile when the mobile phone is seen by several base stations. Keep in mind that phones are not necessarily connected to the base station that is closest or has the best signal strength.
Also, phones have a identity besides SIM that can still be tracked if someone changes the SIM card. This identity is called IMEI
Why can it be challenging to collect data from mobile phones and embedded system?
Unlike ordinary PCs, these devices have no well defined and standardized interfaces
Other challenges include:
- the device’s security measures. The protection in mobile phone OSes is more complex than normal Unix. Each process in mobiles runs in its own sandbox, as its own user without root.
- finding out which components are relevant.
- Electrostatic discharge (ESD).
- Physical state: broken, state of device, battery, etc.
- Finding other traces such as finger prints
How can data be collected from mobile devices?
We could:
- use an application or service on the platform itself. e.g. use phone itself to check recently dialled numbers.
- Connect the device to a computer and read its file system.
- read through the OS, especially if the device is rooted
- use JTAG to read through the flash controller
- try to get at the flash subsystem itself
- desolder the flash chips and read them directly
- grind the physical chips down and look at them with an electron microscope
Why can it be problematic to chip off?
Need to consider if the chip is potted, how it is soldered, if there is underfill, etc. If it is potted or underfilled, the process can be very hard and you might even need special chemicals.
AThere are two main form factors: TSOP and BGA.
TSOP has legs outside the chip, while BGA has legs under the chip. These form factors might require different techniques when desoldering.
Temperature is tightly controlled during production as not to damage the chip. Sloppy desoldering can easily overheat and destroy the chip. Also, heat could cause Phase Change Memory (PCM) to lose its contents.
What is JTAG and what is it used for?
JTAG is short for Joint Test Action Group and is a standardized interface for boundary scan test.
- Boundary scan is a way to test if a trace connects two points
It can be used for finding defects in integrated circuits and to debug firmware or software running on CPU or micro controllers. The debugging part is particularly interesting because it enables us to run flash memory as if we were the CPU.
What is Flash memory?
Flash memory is a very common storage medium for phones and embedded systems.
There are two types of flash memory:
- NAND, where we can only change ‘1’ to ‘0’
- NOR, where we can only change ‘0’ to ‘1’
If we want to change bits the other way, we have to erase the entire block
A problem with flash memory is that erasing and writing blocks wears down the hardware. With NAND, we can typically only write and erase 100 000 times. To prevent wearing down the hardware, there are some mechanisms that involve reallocation and copying. These mechanisms can leave left overs in previously changed blocks. It can be hard for investigators to know which data is live and what is left over crap.
Examples of flash file systems are YAAFS1 and YAAFS2.
