The main challenge in mobile forensics remains to be encryption. The encryption in Android devices, albeit it appeared in Android 6 devices, only recently started being a drag for extractions. Many mid-range Android smartphones and every one pre-2019 Samsung phones wont to use Full Disk Encryption (FDE), the less secure encryption scheme that protects data with “default_password” as a seed for the encryption key. This year, most new smartphones accompany the safer File-Based Encryption (FBE), a more modern encryption scheme that encrypts files with a key supported the user’s screen lock passcode. In many cases, experts could work round the FDE; however, the newer FBE encryption may be a real challenge, still underexplored.
While the phones released with FDE encryption can’t be updated to use FBE, that generation of devices will essentially die out . The new encryption scheme utilized in newer devices will prevail, and it’ll make acquisitions significantly harder and time-consuming.
In Apple’s land, per-file encryption supported the user’s screen lock passcode has been used since iOS 8 on all devices starting with the iPhone 5s. The encryption was and remains secure, and while it remains a challenge, it doesn’t present a replacement challenge.
Android Forensics
Android device forensics may be a headache for a really different reason. The market is saturated with literally thousands of models. These morels are equipped with numerous chip sets made by variety of various manufacturers. There are powerful direct acquisition methods like the EDL extraction, which employs a special engineering mode that exists on most devices; however, these low-level methods are strictly limited to specific vendors, models and/or chip sets. additionally , these methods may or might not work counting on the device settings which will enforce advanced encryption mode that’s not susceptible to this method.
Unlocking
Unlocking Apple smartphones will become increasingly difficult. The bootloader-level vulnerability discovered in A5 through A11 devices is not any longer present within the iPhone Xs/Xr and iPhone 11 generations, while iOS 13 closed many security vulnerabilities discovered in iOS 12. We expect older devices (up to and including the iPhone 8/iPhone X generation) to stay easily unlockable, while the new generation are going to be harder (and slower) to unlock. The now-default 6-digit passcodes are particularly slow to brute force, often making BFU (Before First Unlock) attacks unfeasible.
While Apple employs secure biometrics to unlock their devices, numerous Android copycats use “me-too” imitations of Apple’s Face ID. Such imitations are generally insecure, and may be fooled with a printed image or, at worst, a 3D model of the user’s face. It’s the sheer number and variety of Android devices that guards them against a fanatical security research; the sort of research that resulted within the unpatchable checkm8 exploit for several Apple devices.
Extraction
Full-disk and file-based encryption effectively prevent straightforward extractions, making experts search for dedicated forensic tools for imaging devices. Before First Unlock or After First Unlock extractions will still return vastly different amounts of evidence, with AFU extractions slowly passing out as vulnerable models are on the brink of the top of their lifecycle.
Yet, alternatives to physical extraction will still develop. With significantly more information stored within the cloud today compared to only two years ago, forensic experts can expect to urge ahold of that data – and more.
Also Read: Importance of Mobile Forensics Process
Verification
In classic desktop forensics of the old days capturing a picture of the disk drive and calculating the checksum would satisfy the verification requirement. This not works within the mobile forensics. Most extraction methods aren’t forensically sound. The results aren’t repeatable, and calculating the checksum only is sensible to validate integrity of a given dump or archive. Repeating the extraction will produce a special image and a special checksum. Many vendors are secretive about the techniques they use to extract smartphones; their testimony could also be the sole validation available within the court.
Cloud Extractions and Vendor Counter-Forensics
While more and more users’ data finishes up within the cloud, companies still secure their cloud services against straightforward acquisition attempts.
Starting with Android 9, google began to encrypt Android backups with the user’s device passcode. At this point , no other data is being encrypted, not even health (Google Fit) or passwords. We’ll keep watching Google cloud services.
Apple continues its efforts to counter forensic access to parts of its cloud services. iCloud backups, while not encrypted with user credentials, are getting increasingly difficult to get thanks to the utilization of device credentials as a required pre-requisite for accessing the info . The user’s passwords (iCloud Keychain), Health data, and even messages are securely encrypted with the user’s screen lock passcode or system password. None of that information is given away to the enforcement when Apple serves a government request, and none of that data is provided to users pulling their data via Apple Privacy Requests.
We’ll still develop cloud extraction tools to get the maximum amount data as technically possible.
Two-Factor Authentication
While two-factor authentication isn’t exactly new, manufacturers keep pushing users to enable the feature while making it very difficult or impossible to disable it.
At an equivalent time, two-factor authentication has its ugly side. In Apple ecosystem, users whose accounts are protected with two-factor authentication can do things like disabling the Find My protection or resetting the Apple ID/iCloud password without providing their original Apple ID password.
Deleted Data Analysis
Deleted data analysis is dead. for several years, it had been impossible to recover files deleted from an Apple iPhone due to the way Apple handles the encryption keys. The abundance of trimming SSD drives makes access to deleted data impossible just moments after the file is gone. Manufacturers keep trying finding how to realize access to trimmed data on some SSD models. The SSD factory access mode is one among the most recent SSD analysis methods that helps experts gain access to the hidden parts of the SSD drive.
Topic Related Questions
- What type of evidence can be extracted from a mobile device?
- What types of data are currently able to be extracted and parsed from an Android device?
- How do I know if my device is encrypted?
- What are challenges to mobile forensics?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
