Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik - - PowerPoint PPT Presentation

forensic triage for mobile phones with dec0de
SMART_READER_LITE
LIVE PREVIEW

Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik - - PowerPoint PPT Presentation

Sep 30, 2022 162 likes •975 views

Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik Learned-Miller Brian Neil Levine Department of Computer Science University of Massachusetts Amherst This work was supported in part by NSF award DUE-0830876.

slide-1
SLIDE 1

rjwalls@cs.umass.edu forensics.umass.edu

Forensic Triage for Mobile Phones with DEC0DE

Robert J. Walls Erik Learned-Miller Brian Neil Levine

Department of Computer Science University of Massachusetts Amherst

This work was supported in part by NSF award DUE-0830876.

slide-2
SLIDE 2

rjwalls@cs.umass.edu forensics.umass.edu 2

slide-3
SLIDE 3

rjwalls@cs.umass.edu forensics.umass.edu 2

slide-4
SLIDE 4

rjwalls@cs.umass.edu forensics.umass.edu 2

slide-5
SLIDE 5

rjwalls@cs.umass.edu forensics.umass.edu 2

slide-6
SLIDE 6

rjwalls@cs.umass.edu forensics.umass.edu 2

E v i d e n c e

Evidence

E v i d e n c e

slide-7
SLIDE 7

rjwalls@cs.umass.edu forensics.umass.edu 3

Forensic Triage:

Acquire evidence quickly, accurately, and on-scene.

slide-8
SLIDE 8

rjwalls@cs.umass.edu forensics.umass.edu 3

Forensic Triage:

Acquire evidence quickly, accurately, and on-scene.

> Done before a full examination

slide-9
SLIDE 9

rjwalls@cs.umass.edu forensics.umass.edu

DEC0DE: Forensic Triage

for Phones

4

DEC0DE

slide-10
SLIDE 10

rjwalls@cs.umass.edu forensics.umass.edu

DEC0DE: Forensic Triage

for Phones

4 DEC0DE

slide-11
SLIDE 11

rjwalls@cs.umass.edu forensics.umass.edu

DEC0DE: Forensic Triage

for Phones

4 DEC0DE

slide-12
SLIDE 12

rjwalls@cs.umass.edu forensics.umass.edu

DEC0DE: Forensic Triage

for Phones

4 DEC0DE

slide-13
SLIDE 13

rjwalls@cs.umass.edu forensics.umass.edu

DEC0DE: Forensic Triage

for Phones

4 DEC0DE

slide-14
SLIDE 14

rjwalls@cs.umass.edu forensics.umass.edu

DEC0DE: Forensic Triage

for Phones

4 DEC0DE

slide-15
SLIDE 15

rjwalls@cs.umass.edu forensics.umass.edu 5

Why phones?

slide-16
SLIDE 16

rjwalls@cs.umass.edu forensics.umass.edu 6

slide-17
SLIDE 17

rjwalls@cs.umass.edu forensics.umass.edu 7

Phones record our lives.

slide-18
SLIDE 18

rjwalls@cs.umass.edu forensics.umass.edu 8

Phones contain evidence.

slide-19
SLIDE 19

rjwalls@cs.umass.edu forensics.umass.edu 9

slide-20
SLIDE 20

rjwalls@cs.umass.edu forensics.umass.edu 10

Proprietary OS + Little Documentation

= Unknown Formats

slide-21
SLIDE 21

rjwalls@cs.umass.edu forensics.umass.edu 10

Proprietary OS + Little Documentation

= Unknown Formats

slide-22
SLIDE 22

rjwalls@cs.umass.edu forensics.umass.edu 11

Triage options now?

slide-23
SLIDE 23

rjwalls@cs.umass.edu forensics.umass.edu 12

Option 1:

Browsing

Option 2:

Commercial tools

slide-24
SLIDE 24

rjwalls@cs.umass.edu forensics.umass.edu 13

Drawbacks Option 1:

Browsing

slide-25
SLIDE 25

rjwalls@cs.umass.edu forensics.umass.edu 13

Drawbacks

> May not be possible

Option 1:

Browsing

slide-26
SLIDE 26

rjwalls@cs.umass.edu forensics.umass.edu 13

Drawbacks

> May not be possible > Modifies the phone

Option 1:

Browsing

slide-27
SLIDE 27

rjwalls@cs.umass.edu forensics.umass.edu 13

Drawbacks

> May not be possible > Modifies the phone > Misses important information

Option 1:

Browsing

slide-28
SLIDE 28

rjwalls@cs.umass.edu forensics.umass.edu 14

Drawbacks Option 2:

Commercial Tools

slide-29
SLIDE 29

rjwalls@cs.umass.edu forensics.umass.edu 14

Drawbacks

> Cost Prohibitive

Option 2:

Commercial Tools

slide-30
SLIDE 30

rjwalls@cs.umass.edu forensics.umass.edu 14

Drawbacks

> Cost Prohibitive > Does not support all phones

Option 2:

Commercial Tools

slide-31
SLIDE 31

rjwalls@cs.umass.edu forensics.umass.edu 14

Drawbacks

> Cost Prohibitive > Does not support all phones

Option 2:

Commercial Tools

> Still misses important information!

slide-32
SLIDE 32

rjwalls@cs.umass.edu forensics.umass.edu 15

Option 3:

DEC0DE

slide-33
SLIDE 33

rjwalls@cs.umass.edu forensics.umass.edu 16

Advantages Option 3:

DEC0DE

slide-34
SLIDE 34

rjwalls@cs.umass.edu forensics.umass.edu 16

Advantages

> Extracts information directly from storage

Option 3:

DEC0DE

slide-35
SLIDE 35

rjwalls@cs.umass.edu forensics.umass.edu 16

Advantages

> Extracts information directly from storage > File system and OS agnostic

Option 3:

DEC0DE

slide-36
SLIDE 36

rjwalls@cs.umass.edu forensics.umass.edu 16

Advantages

> Extracts information directly from storage > File system and OS agnostic > Quick ( < 20 minutes )

Option 3:

DEC0DE

slide-37
SLIDE 37

rjwalls@cs.umass.edu forensics.umass.edu 17

slide-38
SLIDE 38

rjwalls@cs.umass.edu forensics.umass.edu 18

slide-39
SLIDE 39

rjwalls@cs.umass.edu forensics.umass.edu 19

slide-40
SLIDE 40

rjwalls@cs.umass.edu forensics.umass.edu 20

slide-41
SLIDE 41

rjwalls@cs.umass.edu forensics.umass.edu 21

slide-42
SLIDE 42

rjwalls@cs.umass.edu forensics.umass.edu

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

22

slide-43
SLIDE 43

rjwalls@cs.umass.edu forensics.umass.edu

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

22

slide-44
SLIDE 44

rjwalls@cs.umass.edu forensics.umass.edu

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

22

slide-45
SLIDE 45

rjwalls@cs.umass.edu forensics.umass.edu

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

22

slide-46
SLIDE 46

rjwalls@cs.umass.edu forensics.umass.edu 23

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Process:

> Divide storage into blocks > Compare block hash to library > Filter duplicates

Component 1: Block Hash Filtering

slide-47
SLIDE 47

rjwalls@cs.umass.edu forensics.umass.edu

Evaluation: BHF

24

slide-48
SLIDE 48

rjwalls@cs.umass.edu forensics.umass.edu 25

Evaluation: BHF

slide-49
SLIDE 49

rjwalls@cs.umass.edu forensics.umass.edu 25

Evaluation: BHF

slide-50
SLIDE 50

rjwalls@cs.umass.edu forensics.umass.edu 25

Evaluation: BHF

slide-51
SLIDE 51

rjwalls@cs.umass.edu forensics.umass.edu 25

Evaluation: BHF

slide-52
SLIDE 52

rjwalls@cs.umass.edu forensics.umass.edu 25

Evaluation: BHF

slide-53
SLIDE 53

rjwalls@cs.umass.edu forensics.umass.edu 25

Evaluation: BHF

slide-54
SLIDE 54

rjwalls@cs.umass.edu forensics.umass.edu 26

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Evaluation Summary:

> Filtered 69% on average > Lot of overlap between phones

  • f same model

Component 1: Block Hash Filtering

slide-55
SLIDE 55

rjwalls@cs.umass.edu forensics.umass.edu 27

Inference?

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Simple, just use regular expressions.

slide-56
SLIDE 56

rjwalls@cs.umass.edu forensics.umass.edu 27

Inference?

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Simple, just use regular expressions.

slide-57
SLIDE 57

rjwalls@cs.umass.edu forensics.umass.edu 28

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Process:

> Encode formats using Probabilistic Finite State Machines (PFSM) > Parse using Viterbi’s Algorithm > Remove false positives using decision tree.

Component 2: Inference

slide-58
SLIDE 58

rjwalls@cs.umass.edu forensics.umass.edu 29

Phone number: Call log:

slide-59
SLIDE 59

rjwalls@cs.umass.edu forensics.umass.edu 30

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Post Processing:

> Simpler to encode certain features > Reduces complexity of state machines > Increases precision

Component 2: Inference

slide-60
SLIDE 60

rjwalls@cs.umass.edu forensics.umass.edu 31

Process:

Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines

Component 2: Inference Evaluation

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE

slide-61
SLIDE 61

rjwalls@cs.umass.edu forensics.umass.edu 32

Step 0 > Pick phone set

slide-62
SLIDE 62

rjwalls@cs.umass.edu forensics.umass.edu 33

Process:

Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines

Component 2: Inference Evaluation

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Step 4 > Run DEC0DE Step 3 > Acquire Raw Storage

slide-63
SLIDE 63

rjwalls@cs.umass.edu forensics.umass.edu 34

Process:

Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines

Component 2: Inference Evaluation

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Step 4 > Run DEC0DE Step 3 > Acquire Raw Storage

slide-64
SLIDE 64

rjwalls@cs.umass.edu forensics.umass.edu 35

Step 2 > Manually create state machines

slide-65
SLIDE 65

rjwalls@cs.umass.edu forensics.umass.edu 36

Process:

Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines

Component 2: Inference Evaluation

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE

slide-66
SLIDE 66

rjwalls@cs.umass.edu forensics.umass.edu 37

slide-67
SLIDE 67

rjwalls@cs.umass.edu forensics.umass.edu 38

Process:

Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines

Component 2: Inference Evaluation

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE

slide-68
SLIDE 68

rjwalls@cs.umass.edu forensics.umass.edu 39

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-69
SLIDE 69

rjwalls@cs.umass.edu forensics.umass.edu 39

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-70
SLIDE 70

rjwalls@cs.umass.edu forensics.umass.edu 39

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-71
SLIDE 71

rjwalls@cs.umass.edu forensics.umass.edu 39

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-72
SLIDE 72

rjwalls@cs.umass.edu forensics.umass.edu 39

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-73
SLIDE 73

rjwalls@cs.umass.edu forensics.umass.edu 39

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-74
SLIDE 74

rjwalls@cs.umass.edu forensics.umass.edu 40

Evaluation: Inference

Development Set Evaluation Set

Recall: Fraction of records recovered. Precision: Fraction of results that are actual records.

slide-75
SLIDE 75

rjwalls@cs.umass.edu forensics.umass.edu 41

Block Hash Filtering Inference Records

DEC0DE

Raw Storage

Evaluation Summary:

> Recovered over 93% of records > Post-processing improves precision by 10-20%

Component 2: Inference

slide-76
SLIDE 76

rjwalls@cs.umass.edu forensics.umass.edu

Limitations

42

> Challenging to acquire raw storage > Success dependent on PFSM quality > Small fields are tough

slide-77
SLIDE 77

rjwalls@cs.umass.edu forensics.umass.edu

Instrument the binary?

43

Related Work: Polyglot (Caballero et al. 2007), Tupni (Cui et al. 2008), and Dispatcher (Caballero et al. 2009).

slide-78
SLIDE 78

rjwalls@cs.umass.edu forensics.umass.edu

Instrument the binary?

43

Related Work: Polyglot (Caballero et al. 2007), Tupni (Cui et al. 2008), and Dispatcher (Caballero et al. 2009).

Too slow, too much work, and too difficult to implement for new phone models.

slide-79
SLIDE 79

rjwalls@cs.umass.edu forensics.umass.edu 44

By leveraging our knowledge of a small set of phones, we can quickly, accurately, and effectively recover information from previously unexamined phones.