Aurelien M. Delaitre

Overcoming Impediments to Cell Phone Forensics

Cell phones are an emerging but rapidly growing area of computer forensics. While cell phones are becoming more like desktop computers functionally, their organization and operation are quite different in certain areas. For example, most cell phones do not contain a hard drive and rely instead on flash memory for persistent storage. Cell phones are also designed more as special-purpose appliances that perform a set of predefined tasks using proprietary embedded software, rather than general-purpose extensible systems that run common operating system software. Such differences make the application of classical computer forensic techniques difficult. Also complicating the situation is the state of the art of present day cell phone forensic tools themselves and the way in which tools are applied. This paper identifies factors that impede cell phone forensics and describes techniques to address two resulting problems in particular: the limited coverage of available phone models by forensic tools, and the inadequate means for validating the correct functioning of forensic tools.

Mobile Forensic Reference Materials: a Methodology and Reification

This National Institute of Standards and Technology report, NIST IR 7617, Mobile Forensic Reference Materials: A Methodology and Reification concerns the theoretical and practical issues with automatically populating mobile devices with reference test data for use as reference materials in validation of forensic tools. It describes an application and data set developed to populate identity modules and highlights subtleties involved in the process. Intriguing results attained by recent versions of commonly-used forensic tools when used to recover the populated data are also discussed. The results indicate that reference materials can be used to identify a variety of inaccuracies that exist in present-day forensic tools.~

Reference Material for Assessing Forensic SIM Tools

Subscriber identity modules (SIMs) are a fundamental standardized component of most cell phones used worldwide. A SIM can be removed from a phone handset and inserted into another, allowing users to port identity, personal information, and service between devices. All cell phones are expected to incorporate some type of identity module eventually, in part, because of this useful property. Some of the earliest, general purpose, forensic tools for cell phones targeted SIMs to recover digital evidence. While over. time the capabilities and number of such tools have increased, they are not completely free of problems. Validating a forensic SIM tool is an essential quality assurance measure. It allows a forensic specialist to determine how to compensate for any shortcomings identified or whether to use one version of the tool in lieu of another. Tool manufacturers also benefit from rigorously validating their products before releasing them. However, creating reference SIMs that contain comprehensive test data can be time consuming and difficult to accomplish. This paper describes an approach for automating the population of test data onto SIMs to create reference material for use in tool validation. It also covers details of the implementation and explains characteristics of SIMs that pertain to the solution.

Improving vulnerability detection measurement: [test suites and software security assurance]

The Software Assurance Metrics and Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST) has created the Software Assurance Reference Dataset (SARD) to provide researchers and software security assurance tool developers with a set of known security flaws. As part of an empirical evaluation of a runtime monitoring framework, two test suites were executed and monitored, revealing deficiencies which led to a collaboration with the NIST SAMATE team to provide replacements. Test Suites 45 and 46 are analyzed, discussed, and updated to improve accuracy, consistency, preciseness, and automation. Empirical results show metrics such as recall, precision, and F-Measure are all impacted by invalid base assumptions regarding the test suites.

Forensic Filtering of Cell Phone Protocols

Phone managers are non-forensic software tools designed to carry out a range of tasks for the user, such as reading and updating the contents of a phone, using one or more of the communications protocols supported by the phone. Phone managers are sometimes used by forensic investigators to recover data from a cell phone when no suitable forensic tool is available. While precautions can be taken to preserve the integrity of data on a cell phone, inherent risks exist. Applying a forensic filter to phone manager protocol exchanges with a device is proposed as a means to reduce risk.