This is a quick article I wrote for a client in my consulting role at ISA. It was published on their website for clients to read and comment on. It was relevant at the time (Sep 2003), but today the information is quite dated and no longer relevant at all. My experience with ISPs and the ongoing spam problem, the advances made in spam delivery by the spammers, and the RBL list technology basically staying the same and not changing, has caused them to be useless. I am adding it here, just to record it for reference.
Archive - Security
RSS Feed
Mobile forensics
I attended a law enforcement presentation this evening on new forensics software for mobile phones. I’ve attended at least a dozen of these over the last 4 years and I’ve got to say I’m really disappointed. All mobile phone forensic software I have seen to date does not image the mobile or do a actual memory dump of the mobile independent of the mobile software. The software uses the API extract a copy of the data. The data is then stored in a file or database, which then permits you to search and view the information.
Extracting data in this way you are trusting the API to properly transmit all the information you requested. Maybe the code doesn’t transmit certain fields or data. What if this data is important to the investigation? How will the investigator know? In all presentation I’ve seen, when asked how the software handles records that are marked for deletion but not yet erased from memory, the answer is the API will ignore them, so they will not be transferred over for investigation.
Since the API on the target mobile is the actual interface used to extract the data from the mobile, it is not possible to ‘prove’ that what is on the phone is exactly what is on the copy. Suppose a judge asks an investigator “please prove to me that the extraction you used for analysis, exactly matches what you find on the mobile and show me that there is no way an error or bug in the software could have caused the data to be changed.” I wonder how many people would be comfortable swearing to that under oath? I would not be.
You would have to be sure the API doesn’t change, mis-interpret data, or have any bugs. Most mobile and personal data assistants (PDA) require a password to access any of the data. By going through the API, you are required to know this password in order to gain access. This makes it much more difficult, especially if the target is not aware they are under investigation and their mobile data is being extracted without their knowledge. You can’t ask the person under investigation for the password. If the mobile is ceased with a warrant, the owner may choose to not give up the password.
I’ve been waiting for mobile forensics companies to actually spend time and money to come up with ways to extract data from the different mobiles and PDAs directly and independently of the mobile API. How to analyze memory data and memory dumps from the mobiles. Instead, I keep seeing new GUI interfaces, new ways to connect to the mobile, new ways to store and transmit the data. No work seems to be done on the individual mobiles themselves and the problem of actual extraction with chain of custody preserved for evidence handling. Very disappointing.
Dynamic Botnets
A research paper / tutorial I wrote a few months back. It shows one of the many BotNets that was detected and tracked by my team. The goal of this paper was to show how a typical Dynamic BotNet communicates, the implications these BotNets can have to ISPs, why traditional detection and mitigation is not enough to stop them and why behavioural detection not just simple static signatures are needed to detect and mitigate this type of malicious software.
Million Dollar homepage DoS
Remember the Million Dollar homepage and the DoS attack on it? This is a paper that is a result of the work done by my manager Don Bowman (VP, Consulting System Services), and myself based on our investigation when some of our customers contacted us, requesting assistance due to some anomalous outbound traffic emanating from their network.
Border computer checking
I am not surprised by this. Border officials trying to search a laptop. I don’t even want to count the number of forensics rules they broke because I might loose count.
If I didn’t like my current employer so much, maybe they would hire me to do that work – although I expect I’d get bored really quickly.
Terrorists proving harder to profile
What gets me is many very intelligent security researchers and consultants have been saying this since before 9/11 — profiling won’t work, need to assess behaviour, personality etc. Israel has this figured out and implemented years ago. 5 years later, oh maybe we should listen to them!
