Knut Kröger

Overview of potential forensic analysis of an android smartphone

This paper deals with the forensic examination of Android smartphones. The structure of the Android system was analyzed and a forensic guide was created. As an example this guide was used to examine a HTC Desire. The conclusion of this paper is the fact that all data stored on the smartphone can be examined. The main problem is that some of the used procedures lack forensic requirements.

Conception of a course for professional training and education in the field of computer and mobile forensics: Part II: Android Forensics

The growth of Android in the mobile sector and the interest to investigate these devices from a forensic point of view has rapidly increased. Many companies have security problems with mobile devices in their own IT infrastructure. To respond to these incidents, it is important to have professional trained staff. Furthermore, it is necessary to further train their existing employees in the practical applications of mobile forensics owing to the fact that a lot of companies are trusted with very sensitive data. Inspired by these facts, this paper - a continuation of a paper of January 2012 [1] which showed the conception of a course for professional training and education in the field of computer and mobile forensics - addresses training approaches and practical exercises to investigate Android mobile devices.

Conception of a course for professional training and education in the field of computer and mobile forensics

IT security and computer forensics are important components in the information technology. From year to year, incidents and crimes increase that target IT systems or was done with their help. More and more companies and authorities have security problems in their own IT infrastructure. To respond to these incidents professionally, it is important to have well trained staff. The fact that many agencies and companies work with very sensitive data makes it necessary to further train the own employees in the field of IT forensics. Motivated by these facts, a training concept, which allows the creation of practical exercises, is presented in this paper. The focus is on the practical implementation of forensic important relationships.

Examination of mobile phones in a university forensic lab environment

The aim of this article is to show forensic investigation methods for mobile phones to students in a university forensic lab environment. Students have to learn the usefulness of forensic procedures to ensure evidence collection, evidence preservation, forensic analysis, and reporting. Open source tools as well as commercial forensic tools for forensic investigation of modern mobile (smart) phones are used. It is demonstrated how important data stored in the mobile device are investigated. Different scenarios of investigations are presented that are well-suited for forensics lab work in university.

Remarks on forensically interesting Sony Playstation 3 console features

This paper deals with forensically interesting features of the Sony Playstation 3 game console. The construction and the internal structure are analyzed more precisely. Interesting forensic features of the operating system and the file system are presented. Differences between a PS3 with and without jailbreak are introduced and possible forensic attempts when using an installed Linux are discussed.

Implementation of a forensic tool to examine the Windows registry

This paper describes the design and prototypic implementation of a forensic tool for the automated analysis of the Windows registry. The concept provides a complete object-oriented analysis of functional requirements as well as detailed descriptions of the program components and the software architecture of the tool. The prototypical implementation of the tool on basis of the developed concept shows its consistency. The implementation is partially described as object-oriented design. Here, special emphasis is placed on the ease of maintenance and extensibility of the program. Information to keys, which are to be read during the analysis are defined in the XML script files. The subsequently defined tests prove the consistency of the concept and the implementation [8].

Conception of a course for professional training and education in the field of computer and mobile forensics - Part III: Network forensics and penetration testing

IT security and computer forensics are important components in the information technology. From year to year, incidents and crimes increase that target IT systems or were done with their help. More and more companies and authorities have security problems in their own IT infrastructure. To respond to these incidents professionally, it is important to have well trained staff. The fact that many agencies and companies work with very sensitive data make it necessary to further train the own employees in the field of network forensics and penetration testing. Motivated by these facts, this paper - a continuation of a paper of January 2012 [1], which showed the conception of a course for professional training and education in the field of computer and mobile forensics - addresses the practical implementation important relationships of network forensic and penetration testing.

Possibilities and modification of the forensic investigation process of solid-state drives

This paper addresses the possibilities of a forensic investigation of solid-state drives. The aim of this study is to clarify information gained via a forensic analysis of these media, and explain the differences to conventional forensic examinations of hard disk drives. Within each test design a series and a variety of hard- and software were used. An interesting result is that the built-in TRIM function of the SSD has an adverse affect in a forensic investigation.

Overview and forensic investigation approaches of the gaming console Sony PlayStation Portable

This paper addresses the forensically interesting features of the Sony PlayStation Portable game console. The construction and the internal structure are analyzed precisely and interesting forensic features of the operating system and the file system are presented.

Location tracking forensics on mobile devices

The spread of navigation devices has increased significantly over the last 10 years. With the help of the current development of even smaller navigation receiver units it is to navigate with almost any current smart phone. Modern navigation systems are no longer limited to satellite navigation, but use current techniques, e.g. WLAN localization. Due to the increased use of navigation devices their relevance to forensic investigations has risen rapidly. Because navigation, for example with navigation equipment and smartphones, have become common place these days, also the amount of saved navigation data has risen rapidly. All of these developments lead to a necessary forensic analysis of these devices. However, there are very few current procedures for investigating of navigation devices. Navigation data is forensically interesting because by the position of the devices in most cases the location and the traveled path of the owner can be reconstructed. In this work practices for forensic analysis of navigation devices are developed. Different devices will be analyzed and it is attempted, by means of forensic procedures to restore the traveled path of the mobile device. For analysis of the various devices different software and hardware is used. There will be presented common procedures for securing and testing of mobile devices. Further there will be represented the specials in the investigation of each device. The different classes considered are GPS handhelds, mobile navigation devices and smartphones. It will be attempted, wherever possible, to read all data of the device. The aim is to restore complete histories of the navigation data and to forensically study and analyze these data. This is realized by the usage of current forensic software e.g. TomTology or Oxygen Forensic Suite. It is also attempted to use free software whenever possible. Further alternative methods are used (e.g. rooting) to access locked data of the unit. To limit the practical work the data extraction is focused on the frequently used device sample of a specific class, as the procedure for many groups of devices can be similar. In the present work a Garmin Dakota 10, a TomTom GO 700, an iPhone 4 (iOS) and a Samsung Galaxy S Plus (Android) is used because they have a wide circulation.