effectiveness of the factory reset on a mobile device

effectiveness of the factory reset on a mobile device
NAVAL
POSTGRADUATE
SCHOOL
MONTEREY, CALIFORNIA
THESIS
EFFECTIVENESS OF THE FACTORY RESET ON A
MOBILE DEVICE
by
Riqui Schwamm
March 2014
Thesis Advisor:
Second Reader:
Neil Rowe
Simson Garfinkel
Approved for public release; distribution is unlimited
THIS PAGE INTENTIONALLY LEFT BLANK
REPORT DOCUMENTATION PAGE
Form Approved OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction,
searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send
comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to
Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA
22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503.
1. AGENCY USE ONLY (Leave blank)
2. REPORT DATE
March 2014
3. REPORT TYPE AND DATES COVERED
Master’s Thesis
5. FUNDING NUMBERS
4. TITLE AND SUBTITLE
EFFECTIVENESS OF THE FACTORY RESET ON A MOBILE DEVICE
6. AUTHOR(S) Riqui Schwamm
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Naval Postgraduate School
Monterey, CA 93943-5000
9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES)
N/A
8. PERFORMING ORGANIZATION
REPORT NUMBER
10. SPONSORING/MONITORING
AGENCY REPORT NUMBER
11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy
or position of the Department of Defense or the U.S. Government. IRB Protocol number ____N/A____.
12a. DISTRIBUTION / AVAILABILITY STATEMENT
Approved for public release; distribution is unlimited
12b. DISTRIBUTION CODE
13. ABSTRACT (maximum 200 words)
All mobile phones use internal flash memory to store information. The flash memory contains personal user data that
can be extracted with the use of forensics tools. This information could be used to profile a user’s daily activity.
However, all smartphones provide a tool to erase (factory reset) the information from the flash memory. Twenty-one
smartphones were used to evaluate the effectiveness of the factory-reset feature. A set of forensics tools from
Cellebrite was used for the extraction and analysis process. The factory-reset feature was found to leave significant
amounts of user-generated content after operation. The amount of user-generated content varied by vendor and model
number. Extracted data are presented as evidence to show the ineffectiveness of the reset. User data such as
photographs, audio files, text files, login information and geolocation data were left on the phone. The data analysis
uncovered the unreliable nature of a factory reset and how the user is not properly protected.
14. SUBJECT TERMS Android Operating System, Apple iOS, Mobile Forensics, smartphone,
personal user data
17. SECURITY
CLASSIFICATION OF
REPORT
Unclassified
18. SECURITY
CLASSIFICATION OF THIS
PAGE
Unclassified
NSN 7540-01-280-5500
15. NUMBER OF
PAGES
67
16. PRICE CODE
19. SECURITY
20. LIMITATION OF
CLASSIFICATION OF
ABSTRACT
ABSTRACT
Unclassified
UU
Standard Form 298 (Rev. 2-89)
Prescribed by ANSI Std. 239-18
i
THIS PAGE INTENTIONALLY LEFT BLANK
ii
Approved for public release; distribution is unlimited
EFFECTIVENESS OF THE FACTORY RESET ON A MOBILE DEVICE
Riqui Schwamm
Civilian, Department of the Navy
B.S., California State University, Monterey Bay, 2011
Submitted in partial fulfillment of the
requirements for the degree of
MASTER OF SCIENCE IN COMPUTER SCIENCE
from the
NAVAL POSTGRADUATE SCHOOL
March 2014
Author:
Riqui Schwamm
Approved by:
Neil Rowe
Thesis Advisor
Simson Garfinkel
Second Reader
Peter J. Denning
Chair, Department of Computer Science
iii
THIS PAGE INTENTIONALLY LEFT BLANK
iv
ABSTRACT
All mobile phones use internal flash memory to store information. The flash memory
contains personal user data that can be extracted with the use of forensics tools. This
information could be used to profile a user’s daily activity. However, all smartphones
provide a tool to erase (factory reset) the information from the flash memory. Twenty-one
smartphones were used to evaluate the effectiveness of the factory-reset feature. A set of
forensics tools from Cellebrite was used for the extraction and analysis process. The
factory-reset feature was found to leave significant amounts of user-generated content
after operation. The amount of user-generated content varied by vendor and model
number. Extracted data are presented as evidence to show the ineffectiveness of the reset.
User data such as photographs, audio files, text files, login information and geolocation
data were left on the phone. The data analysis uncovered the unreliable nature of a
factory reset and how the user is not properly protected.
v
THIS PAGE INTENTIONALLY LEFT BLANK
vi
TABLE OF CONTENTS
I.
INTRODUCTION........................................................................................................1
A.
MOBILE DEVICES, APPLICATIONS, AND USER DATA .....................1
B.
RESEARCH QUESTIONS .............................................................................2
C.
THESIS STRUCTURE ...................................................................................2
II.
BACKGROUND AND RELATED WORK ..............................................................3
A.
GROWTH OF SMARTPHONES AND MOBILE COMPUTERING .......3
B.
PRIOR WORK.................................................................................................4
III.
DIGITAL FORENSICS TOOLS................................................................................7
A.
COMPUTER FORENSICS ............................................................................7
B.
MOBILE FORENSICS ...................................................................................9
C.
MOBILE FORENSIC TOOL CELLEBRITE UFED ..................................9
D.
MOBILE FORENSIC TOOL BULK EXTRACTOR ................................11
E.
OTHER MOBILE FORENSICS TOOLS TESTED ..................................11
IV.
EXPERIMENTS ........................................................................................................15
A.
CONTROLLED EXPERIMENT WITH TWO SMARTPHONES ..........15
B.
EXPERIMENT AND DATA EXTRACTION ............................................21
C.
ISSUES WITH THE SMARTPHONES ......................................................28
D.
DATA ANALYSIS WITH THE PHYSICAL ANALYZER ......................29
E.
STRING SEARCHING WITH LINUX GREP COMMAND ...................32
F.
DATA ANALYSIS WITH BULK EXTRACTOR ......................................34
G.
DISCUSSION .................................................................................................38
V.
CONCLUSIONS AND FUTURE WORK ...............................................................41
A.
CONCLUSION ..............................................................................................41
B.
RECOMMENDED PROCEDURES ............................................................41
C.
FUTURE WORK ...........................................................................................42
LIST OF REFERENCES ......................................................................................................45
INITIAL DISTRIBUTION LIST .........................................................................................51
vii
THIS PAGE INTENTIONALLY LEFT BLANK
viii
LIST OF TABLES
Table 1.
Table 2.
Table 3.
Table 4.
Table 5.
Table 6.
Table 7.
Table 8.
Table 9.
Table 10.
Table 11.
Table 12.
Table 13.
Top Smartphone Platforms (from [1]). ..............................................................1
Mobile Internet & Smartphone Adoption: October 2011 (from [4]). ................3
Sample files from post-wipe iPhone ................................................................19
Sample files from post-wipe Android phone ...................................................20
Full list of smartphone and status (from [41], [42]).........................................22
Summary data from 21 smartphones ...............................................................23
File type counts before and after the factory reset. ..........................................24
The number represents user data and system data on smartphones part 1.
(post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry ..........................26
The number represents user data and system data on smartphone part 2
(post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry ..........................27
User data files found in the smartphones part 1 ...............................................32
User data files found in the smartphones part 2 ...............................................32
Search result (post-wipe/pre-wipe) part 1 ........................................................36
Search result (post-wipe/pre-wipe) part 2 ........................................................37
ix
THIS PAGE INTENTIONALLY LEFT BLANK
x
LIST OF ACRONYMS AND ABBREVIATIONS
ADB
Android Debug Bridge
CDMA
code division multiple access
DoD
Department of Defense
GPS
Global Positioning System
GSM
Global System for Mobile
IEEE
Institute of Electrical and Electronics Engineers
iOS
iPhone Operating System
MMS
Multimedia Messaging Service
MTP
Media Transfer Protocol
NFC
Near field communication
NPS
Naval Postgraduate School
OS
operating system
SD
Secure Digital
SIM
subscriber identity modules
SMS
Short Message Service
URL
Uniform Resource Locator
USB
Universal Serial Bus
Wi-Fi
Wireless Fidelity
WLAN
Wireless Local Area Network
xi
THIS PAGE INTENTIONALLY LEFT BLANK
xii
ACKNOWLEDGMENTS
This research project would not have been possible without the guidance and
support of Dr. Neil Rowe and Dr. Simson Garfinkel. I would especially like to recognize
Dr. Rowe for his patience and encouragement when it was most required.
xiii
THIS PAGE INTENTIONALLY LEFT BLANK
xiv
I.
A.
INTRODUCTION
MOBILE DEVICES, APPLICATIONS, AND USER DATA
There has been significant growth in personal smartphone devices. In June 2013,
the Google Android smartphone held 51.8% of the market, the highest share in the U.S.
Table 1 [1]. Apple iOS maintained the second largest share at 40.6%, followed by
BlackBerry at 3.4% and Microsoft at 3.1% [1]. Symbian still holds a 0.2% market share
but has been discontinued by Nokia. The last Symbian smartphone was shipped in mid2012, according to the company’s 2012 Interim Report [2].
Top Smartphone Platforms
3 Month Avg. Ending Dec. 2013 vs. 3 Month Avg. Ending Sep. 2013
Total U.S. Smartphone Subscribers Age 13+
Source: comScore MobiLens
Share (%) of Smartphone Subscribers
Android
Sep-13
51.8%
Dec-13
51.5%
Point Change
-0.3
Apple
40.6%
41.8%
1.2
BlackBerry
3.8%
3.4%
-0.4
Microsoft
3.3%
3.1%
-0.2
Symbian
0.3%
0.2%
-0.1
Total Smartphone Subscribers
100.0%
100.0%
Table 1.
Top Smartphone Platforms (from [1]).
Mobile phones use flash-memory [3] to store the base mobile operating system
(OS), applications (apps), and user data. First-party applications are software created by
the operating-system provider. For example, the Android smartphone includes a
phonebook, a calendar and text-messaging applications created by Google’s own
software-development team. Third-party applications are created by developers other
than the provider of the mobile operating system.
The internal flash memory of a mobile device contains several types of usergenerated information such as phone numbers, addresses, Short Message Service (SMS)
1
text messages, and cell data. These data can be extracted with the use of digital forensics
tools and used to profile a user’s activity. Digital forensics is a branch of forensic science
that investigates digital information stored in various electronic media. It can help
investigate cybercrime, computer-based terrorism, and computer hacking involving
digital environments.
All smartphones provide a way to erase (reset) personal information from flash
memory. The main focus of this thesis will be to evaluate the effectiveness of “factory
data reset” feature on smartphones. A detailed and comprehensive survey can benefit not
only the forensic community, but also anyone who uses a smartphone. The end result will
help illustrate the limits of privacy protection offered by factory-reset features. It can also
contribute to improved smartphone security and privacy policies if venders use this
research to improve their products.
B.
RESEARCH QUESTIONS
This thesis attempts to answer one primary question:

How much user-generated data is left on a smartphone after using the
mobile phone’s factory reset/wipe function?
Two secondary questions also need to be addressed:
C.

How much private/personal information can be extracted after the wipe?

Can recovered data be used to identify or profile a user?
THESIS STRUCTURE
The remainder of the thesis is organized as follows. Chapter II will discuss prior
work in mobile forensics and similar research work done under this topic. Chapter III will
cover the process of forensics research all hardware, software and computer
environments used in these experiments. Chapter IV will cover experiments with some
sample memory images. Chapter V will end with conclusions and propose future research
work.
2
II.
A.
BACKGROUND AND RELATED WORK
GROWTH OF SMARTPHONES AND MOBILE COMPUTERING
Mobile phones have become a significant consumer product in recent years. A
telephone survey by Google Inc. of 2,000 adults in five countries [4] found that
consumers own mobile phones more than any other mobile devices As Table 3 depicts,
the survey found that Japan has highest adoption rate of mobile phones (96%), followed
by the United Kingdom (87%).
Feature phone/Smartphone
Media player with web access
Tablet PC Slate/Pad
Handheld gaming device
eReader
Table 2.
United
States
United
Kingdom
France
Germany Japan
78%
24%
9%
15%
9%
87%
17%
4%
17%
3%
74%
23%
3%
14%
1%
76%
12%
3%
7%
1%
96%
30%
5%
42%
2%
Mobile Internet & Smartphone Adoption: October 2011 (from [4]).
A smartphone contains much of the functionality of a desktop PC, but it also
includes radio communications capabilities that desktop PCs typically lack.
Communication functionalities include GSM/CDMA radio, Near Field Communications,
GPS, Wi-Fi and Bluetooth communication. The high mobility of these devices can be the
most important factor in the shift from desktop/laptop computer to smartphones. Unlike
laptops or desktop computers, a smartphone can easily fit in a pocket. It is a computer
that is easy to use and small enough to be used almost anywhere. A user can browse the
Internet, check email, use GPS navigation, and make online payments from personal
bank accounts. Hence, a device this capable is also likely to contain personal user data.
There are various ways a user can protect his or her personal information on
smartphones. Android and iOS phones can be set up require a login password. Some
phones include a data encryption method to protect sensitive data. Also, third-party
3
developers’ market mobile protection/encryption software [5] can be installed on both
Android and iOS phones. The iPhone has hardware encryption enabled by default for all
data stored in memory. There is also a Data Protection API provided by Apple that can be
used to implement application-level encryption.
In addition, common smartphones on the market today include some kind of
“factory reset” feature. A factory reset is similar to formatting a hard disk drive on a
computer system, but the details differ. Formatting deletes all pre-existing partitions and
data on the hard drive and creates a new file system. The factory reset is intended to
remove everything except pre-installed software, deleting user data in particular.
The following is a list of data that should be erased by the factory reset [6], [7].

User account information (including email address)

User settings for the operating system and applications

Downloaded third-party applications

Downloaded music (.mp3s, .flac, and .aac)

Downloaded images and photos taken by the camera (.jpg, .png)

Other user data (address book/phone book/calendar data)
The data that should be left behind after a factory reset is:
B.

The operating system installed with the smartphone

First-party software (the operating system and associated software of the
main vendor) and software (by other vendors authorized by the main
vendor) bundled with the operating system

SD card files, as contrasted with files on the main flash memory on the
phone
PRIOR WORK
Very little academic research has been conducted regarding the correctness of the
factory reset feature on smartphones. However, there have been numerous articles on
technology websites discussing potential risks [8], [9], [10]. The following are examples
of the kinds of data left behind after a factor reset, from the GottaBeMobile: Mobile News
& Reviews website:
4

Porn

Court records

Social Security Numbers

Resumes

College applications

Cookies

Child support documents

Employee records

Bank statements

Credit card statements

Tax returns

Emails

Contact lists

Photos
The authors tested secondhand phones purchased through Craigslist, which they
then reset using the factory feature. The article concluded that the factory-reset feature
did not work as expected.
Another publication studied the effectiveness of the factory reset for network data
structures left on an Android device [11]. The primary question was “Do sufficient
residual artifacts exist on mobile devices to extract enough data to identify the device’s
previous network access points?” The research used controlled data transfers between
Android smartphones and multiple network access points (cellular, wireless, and
Bluetooth). Residual data left on test devices included “userdata” partitions containing
Service Set Identifiers (SSID), wireless-router Subscriber Identity Modules (SIM), DHCP
ACKs from wireless routers, and base-station metadata that included the Mobile Network
Code (MNC), Mobile Country Code (MCC), Local Area Code (LAC) and Cell
Identification (CID), wireless router Media Access control (MAC) addresses, and
Bluetooth MAC address of devices paired with the phone. It concluded that the factoryreset feature was not sufficient in deleting user-generated network data.
This thesis expands the research scope by analyzing all user-generated content. It
analyzes all types of residual artifacts left behind after a factory reset.
5
THIS PAGE INTENTIONALLY LEFT BLANK
6
III.
A.
DIGITAL FORENSICS TOOLS
COMPUTER FORENSICS
Computer forensic investigations follow a similar process to other forensic
investigations [12]. The process involves acquisition, analysis and reporting of potential
evidence involving criminal activity. The evidence can be collected from any type of
storage media. Examples of storage media are:

A hard disk drive from computer system

A CD/DVD/Blu-ray optical disk

A MO magnetic disk

A CF/SM/MMC memory card

A mobile SIM card

A USB flash memory
Forensic tools can be used to acquire data from storage media by physical or
logical acquisition. Physical acquisition is a bit-by-bit copy of an entire physical store of
data. Logical acquisition is a bit-by-bit copy of the logical storage object such as
directories and files.
The National Institute of Standards and Technology provides guidelines for
forensic data acquisition and specifications for forensic tools [13]. NIST’s Computer
Forensics Tool Testing (CFTT) program establishes the methodology for testing
computer forensic software. CFTT is part of the Software Diagnostics and Conformance
Testing Division which is supported by The Office of Law Enforcement Standards. The
project provides a means to help understand the capability, limitations, and validity of
computer forensics tools. The tools to be tested are broken up into several categories:
disk imaging, forensic media preparation; write-blocking software, write-blocking
hardware, and mobile devices.
Disk imaging is the process of making a secure forensically sound copy of digital
media that can retain the data for an extended period. “Disk Imaging takes sector-by-
7
sector copy usually for forensic purposes and as such it will contain some mechanism to
prove that the copy is exact and has not been altered.” [14].
Forensic media preparation is the practice of wiping the target media before
storing forensics data onto the forensics examiner’s computer. A hard disk drive is
usually used as a target media to store collected data. A wiping process prevents collected
data on the target media from being “contaminated” by previously collected evidential
data. A wipe should completely delete the existing data by overwriting all writable parts
of the media. The Unix “dd” command is a common utility used to wipe storage media
[15], and it can also be used to wipe data from internal flash memory in mobile phones.
Write blockers are write-protection utilities used in the acquisition of digital forensic data.
These utilities enable examiners to create images of media devices without the risk of
accidentally writing to the subject media and thereby altering the contents [16].
Several forensic techniques have been developed to help investigations such as
string search, memory forensics, file extraction, feature extraction, and cross-drive
analysis [17], [18], [19], [20]. These techniques increase the utility of captured data in
forensics analysis. Memory forensics analyzes information stored on volatile memory,
internal memory inside a computer or mobile device that requires power to maintain. The
data stored in the memory changes frequently while the computer or mobile device is
operational, which makes it hard to verify the data collected from memory. This can lead
to problems if the examiner wants to run the acquisition process more than once [21].
String searching is a process of locating specific ASCII or Unicode strings from
text files and directories. These strings can be names, phone numbers, email addresses,
country codes, IP addresses, or software installed on a system. The examiner can look for
any type of key terms or single words, but it can also help spot patterns in a system.
Regular expressions can be used to describe patterns in a string. An example regular
expression is “/^[a-z0-9_-]/ “ which will look for any string that begins (^) with a lower
case letter (a-z) followed by any number (0-9) then an underscore and a hyphen.
8
B.
MOBILE FORENSICS
Mobile forensics has its own set of acquisition tools [22], [23], [24]. Imaging,
forensic extraction, memory forensics, and string searching can all be applied to mobile
forensics investigations. However, there are some differences. Hard disk drives can easily
be removed from a computer system for data acquisition and analysis, and during this
process the hard disk drives can be protected using a write blocker utility. A mobile
device cannot be processed the same way because the internal flash memory is usually
soldered onto the circuit board, and removing the flash memory may damage it. Most
mobile forensics tools do not require for the flash memory to be removed, but connect the
phone directly into a forensics hardware tool, or plug the phone into a computer system
running the forensics software [25]. The mobile phone architecture is also different from
a standard desktop computer. The mobile hardware supports various radio
communications like GSM/CDMA, GPS, Wi-Fi, NFC and Bluetooth. This radio
communication capability will generate additional user data on the smartphone. The
GSM/CDMA and GPS radios store geolocation data. Wi-Fi, NFC and Bluetooth may
store user account login information and passwords. User data are locally stored on the
smartphone’s flash memory.
C.
MOBILE FORENSIC TOOL CELLEBRITE UFED
A commercial forensics tool from Cellebrite was used for the data extraction
process in our experiments. The Cellebrite UME-36 Pro is a standalone phone-memory
transfer and backup solution that is capable of extracting data from a wide variety of
mobile devices [26]. There are three key components for this forensics tool:

Cellebrite UME-36 Pro – Universal Memory Exchanger 1.2.2.3

Cellebrite UFED Physical Analyzer 3.7.2.0

Cellebrite Phone Detective 1.2
The UME-36 Pro enables logical, password, SIM, file-system, and physical
extractions of data from mobile devices. It is a hardware solution for data extraction. The
extracted data can be viewed and analyzed with the UFED Physical Analyzer software.
UME-36 Pro claims to extract the following data from a smartphone [27]:
9

Call logs

Contacts

Email

Pattern locks

Bookmarks

Cookies

Text strings from Short Message Service (SMS) / Multimedia Messaging
Service (MMS)

Chat messages

Location data including cell tower locations and usage

Web browser history including records of visited websites

Digital photography, digital videos, and audio files

Text files

Deleted data

Wi-Fi including connection times, base service set identifications (BSSId),
service set identifiers (SSID), and Security Modes

GPS information added to media files (geotags)
The UFED Physical Analyzer is software for physical extraction. This extraction
creates a single binary extraction file for each embedded flash memory chip, or at least by
the address range used by the mobile device.
Unlike logical extraction, physical
extraction can bypass the device’s operating system and extract data directly from the
mobile device’s internal flash memory. The UFED-extracted data from the device is
saved into a hexadecimal file that is later read and decoded using the UFED Physical
Analyzer application. The images created from the physical extraction process include
files deleted by the operating system or user. The images are saved with an .ufd extension.
It provides an overview of the mobile-device data with decoding, analysis, and report
generation [28].
The Cellebrite Phone Detective application helps investigators identify a mobile
phone by its physical attributes, eliminating the need to start the device and risk device
lock or possible data loss. It asks eight key questions regarding the phones’ physical
appearance. It provides the user with a detailed extraction capability per device,
10
connectivity details and device characteristics [29]. The eight visual elements used to
identify device are:
D.

Phone type (candy bar, clamshell, slider, tablet)

Body (connection port, cable, charging socket)

Power button (power, volume, camera, keypad)

Miscellaneous (battery cover type, memory card slot)

Basic (Brand logo: Apple, HTC, Acer, LG / network technology: GSM,
CDMA)

Camera (type, location, flash)

Display type (touch, non-touch, stylus)
MOBILE FORENSIC TOOL BULK EXTRACTOR
The forensics software Bulk Extractor (bulk_extractor-1.4.1-windowsinstaller.exe)
[30] was also used for analysis of recovered files. Bulk Extractor is a carving and feature
extraction tool that can be used on all kinds of digital media. It can scan disk images (raw,
split-raw, EnCase E01, AFF), files and directories to extract useful information without
parsing the file system or file system structures. The program can extract phone numbers,
email addresses, credit card numbers and URLs from inspection of file contents of any
file or file fragments. It can also collect data from compressed files with ZIP and gzip
algorithms. The extractor is run on a file system and creates a report directory with
feature files. Each feature file contains the location the feature found, the feature itself,
and the feature surrounded by its local context (e.g., email.txt, url.txt). The tool is
generally used for file identification and cross-drive analysis [31].
E.
OTHER MOBILE FORENSICS TOOLS TESTED
Several other forensics tools were tested for this research project before we
selected Cellebrite. Some that offer similar features to the Cellebrite UFED tools were as
follows.
viaExtract: This is a mobile forensics tool developed and distributed by
viaForensics [32]. It is designed for extracting and analyzing data from Android
smartphones. It is distributed as a standalone virtual appliance that runs on a VMware
11
workstation. The pre-installed extraction tools could not properly analyze several
Android phones. It would often return an error during the extraction process on our test
phones.
Key features:

Temporarily or permanently remove a password/pattern/PIN lock on an
Android device running OS 2.2 or higher.

Allow the examiner to forensically image external (SD) and internal
(EMMC) storage cards directly from the device.

Allow examiners an additional bypass option on gesture key locked
devices.
Oxygen Forensic Suite 2013: This forensics suite is developed and distributed by
Oxygen Software [33]. The company specializes in forensic data examination tools for
smartphones and mobile devices. The program performed fairly well and could recovery
a large number of files (images, video, system files, logs).
Key features:

Displays complete technical information about the mobile device.

Extracts user contact information with all its data: name, occupation,
phone numbers, addresses, emails, notes.

Extracts event log data, phonebook, messages (SMS, MMS, Emails,
iMessages).

File browser analyzes user phones, videos, documents and device
databases.
Recuva: This is a free program developed and distributed by Priform [34]. It is a
disk recovery tool that is capable of extracting files deleted or damaged on media devices.
The program can recover a large number of files from the internal flash memory of a
smartphone. However, the program does not provide an analysis tool for the recovered
data. This makes the file analysis very difficult. Several files could not be opened or
viewed with the program.
Key features:

Undelete files.

Recover damaged or formatted disks.
12

Recover deleted emails.

Recover deleted iPod music.

Restore unsaved documents.

Perform deep scan.
13
THIS PAGE INTENTIONALLY LEFT BLANK
14
IV.
A.
EXPERIMENTS
CONTROLLED EXPERIMENT WITH TWO SMARTPHONES
Two smartphones were used for a controlled experiment: an Apple iPhone 4S and
a Samsung Galaxy SIII. The following protocol was used to artificially generate data
under a controlled environment.

Log into the Android phone with the account forensic.nps@gmail.com,
and the iPhone with the account rschwamm@nps.edu.

Connect to NPS wireless network (NGSTV224) and visit 4 websites using
default browser
1.
2.
3.
4.

Take six pictures with built in camera: 6 pictures of the numbers 1, 2, 3, 4,
5, 6. First 3 image files are left unaltered. Second 3 image files manually
renamed:
o
o
o

Nps.edu
Fark.com
Yahoo.com
Npr.org
testschwamm_pic_4
testschwamm_pic_5
testschwamm_pic_6
Access files and links from the following website:
http://faculty.nps.edu/ncrowe/testschwamm0114__doc_sample.docx
http://faculty.nps.edu/ncrowe/testschwamm0114__pdf_sample.pdf
http://faculty.nps.edu/ncrowe/testschwamm0114__ppt_sample.pptx
http://faculty.nps.edu/ncrowe/testschwamm0114__wav_sample.wav
http://faculty.nps.edu/ncrowe/testschwamm_0114_link.html
http://faculty.nps.edu/ncrowe/testschwamm_0114_pics.html
http://faculty.nps.edu/ncrowe/testschwamm_0114_video.html
http://faculty.nps.edu/ncrowe/testschwamm0114_feat.html

Install
the
following
list
of
software
for
Android
phones:
“Reddit is fun”
https://play.google.com/store/apps/details?id=com.andrewshu.android.red
dit&hl=en
Visit 3 postings on www.reddit.com
15
o “ELI5: The Amanda Knox Appeal”
http://www.reddit.com/r/explainlikeimfive/comments/1wlin9/eli5_the_
amanda_knox_appeal/
o “Why are the wheels of NASA’s Mars rover, Curiosity, wearing out?”
http://www.reddit.com/r/askscience/comments/1wnb8s/why_are_the_
wheels_of_nasas_mars_rover_curiosity/
o “Hey, I am Nikki Sixx from Motley Crue, AMA”
http://www.reddit.com/r/IAmA/comments/1wnsxv/hey_i_am_nikki_si
xx_from_m%C3%B6tley_cr%C3%BCe_ama/
“Facebook”
https://play.google.com/store/apps/details?id=com.facebook.katana&hl=e
n
Login and browse.
“Google Drive”
https://play.google.com/store/apps/details?id=com.google.android.apps.do
cs&hl=en
Login/sync and open 3 files
o testschwamm_ppt1.pptx
o testschwamm_ppt2.pptx
o testschwamm_ppt3.pptx
“DropBox”
https://play.google.com/store/apps/details?id=com.dropbox.android&hl=e
n
Login/sync and open 3 files
o testschwamm_doc1.docx
o testschwamm_doc2.docx
o testschwamm_doc3.docx
“Youtube”
https://play.google.com/store/apps/details?id=com.google.android.youtube
&hl=en
Login and watch 3 videos
o ‘PSY-GANGNAM STYLE’
http://www.youtube.com/watch?v=9bZkp7q19f0
o ‘GIFs, now with sound!’
http://www.youtube.com/watch?v=CgVpR4KdLRA
o ‘BEST DUBSTEP CAT!’
http://www.youtube.com/watch?v=i4SSoWEw5CI
16
“Audible”
https://play.google.com/store/apps/details?id=com.audible.application&hl
=en
Login and download/listen to 3 excerpts
o Bossypants (Excerpt)
o The Hunger Games (Excerpt)
o Matterhorn (Excerpt)
“Kindle”
https://play.google.com/store/apps/details?id=com.amazon.kindle&hl=en
Login and open 3 PDF files
o testschwamm_article1.pdf
o testschwamm_article2.pdf
o testschwamm_article3.pdf

Upload a text document ‘testschwamm_password.txt’ to root directory of
each phone.

Upload zip file containing above text named ‘testschwamm_userdata.zip’
to root directory of each phone

Use the following list of pre-installed software on iPhone:
“Youtube”
Login and watch 3 videos
o ‘PSY-GANGNAM STYLE’
http://www.youtube.com/watch?v=9bZkp7q19f0
o ‘GIFs, now with sound!’
http://www.youtube.com/watch?v=CgVpR4KdLRA
o ‘BEST DUBSTEP CAT!’
http://www.youtube.com/watch?v=i4SSoWEw5CI
“Notes”
Create 3 note entries
o DVD Movie List
o Shopping List
o Test date and homework due date
“Remind Me”
Create 3 reminders different dates
o ‘Reminder 1’ ‘02/01/2014 5:00PM’
o ‘Reminder 2’ ‘03/03/20145 7:00AM’
o ‘Reminder 3’ ‘04/05/2014 11:00AM’
The phones were not password protected by the user and no data intentionally
encoded or encrypted by the phone. Following use, a factory reset was performed through
17
the phone’s setup menu under “Privacy” or “Backup & Reset”. The reset menu lists all
data that will be erased in the process (User account, system and application data and
settings, downloaded applications, music, pictures and other user data). The user did not
have any selectable options for the reset on any of the phones. The process takes a few
minutes after which the phone restarts and resumes normal operation.
Following factory reset, the phones were images with the UME-36 Pro and UFED
Physical Analyzer. All images were saved in the tools proprietary format (.ufd).
A total of 61,276 files were recovered from the pre-wipe for the iPhone and
43,165 from the post-wipe. 42,728 files matched path and contents from both pre-wipe
and post-wipe. Partial matches were deleted which produced 17,914 pre-reset files and
115 post-reset files that did not match. 36,292 files had a zero size from the pre-wipe and
36,319 files had zero size from the post-wipe. Executable “.app” files found pre-wipe
were 24,862, and 8,062 post-wipe. Files relating to the operating system were 29,812 prewipe and 27,621 post-wipe.
Overall, the reset did a good job of removing third-party software. All the picture
images and text documents were deleted by the reset with the exception of some cache
and settings information (YouTube, Facebook).
The Bulk Extractor was used for string search. A number of preference and
configuration files were recovered after the reset but none containing the keywords.
“Preferences” can include private user information [35], but none were seen in the “.plist”
preference files. Table 3 lists some sample files remaining after the reset that could be
interesting for forensic investigations. The indirect information can be collected and used
to profile a user. A forensic investigator could determine where and how the device was
used.
18
File
System/InnsbruckTaos11B554a.N90OS/System/Library/PrivateF
rameworks/Preferences.framework/SupplementalLocaleData.plist
System/InnsbruckTaos11B554a.N90OS/usr/share/mecabra/ja
/rerank.dat
Data/Data/Keychains/keychain-2.db
Data/Data/logs/lockdownd.log
Data/Data/mobile/Applications/B8AD4B05-2518-4570-84477BE2BFDA8F9F/Library
/Preferences/com.apple.mobilesafari.plist
Data/Data/mobile/Library /BulletinBoard/SectionInfo.plist
Data/Data/mobile/Library
/Caches/com.apple.springboard
/Cache.db-wal
Data/Data/mobile/Library
/Cookies/com.apple.itunesstored.2.sqlitedb
Data/Data/mobile/Library/Mail /Content Index
Data/Data/mobile/Library/Maps /Bookmarks.plist
Data/Data/mobile/Library
/Preferences/com.apple.identityservicesd.plist
Data/Data/mobile/Media /PhotoData/changes-shm
Data/Data/root/Library/Caches /locationd/consolidated.db
Data/Data/tmp/MediaCache /diskcacherepository.plist
Table 3.
Description
Location and language
settings
Resource rankings?
Keys
Security event log
Browser preferences
Bulletin board index
Screen cache for user
"wal"
Cookies for iTunes
Mail keywords
Map bookmarks
Account information
Incremental photo data
Location data
Disk cache information
Sample files from post-wipe iPhone
A total of 5,141 files were recovered from the pre-wipe for the Android phone
and 3,578 from the post-wipe. 3,292 files matched path and content from both pre-wipe
and post-wipe. Partial matches were deleted which produced 968 pre-wipe and 65 postwipe that did not match. 227 files had a zero size from the pre-wipe and 278 files had
zero size form the post-wipe. Executable “.apk” files found pre-wipe were 396, and 277
post-wipe. Other executable files such as “.dex” files went from 140 pre-wipe to 121
post-wipe. “.so” files from 302 to 254. The reset did not delete any picture images taken
with the camera. None of the created text files (.txt, .doc, .pdf, .ppt) was removed. Cache
and deleted copies of these file and image components were also not erased. Third-party
applications were deleted. However, following the wipe we could recover files from the
Kindle and DropBox applications that belonged to the user. These files should have been
deleted along with the application. The fact that files from deleted applications were
19
found post-wipe implies that the wipe process explicitly deleted files, a topic that we will
return to in Chapter V.
The Bulk Extractor was used again for additional string search. Website links
were all deleted in the reset. However, the links for the four visited websites were found
in various files pre-wipe. A total of 116 links were found pre-wipe. It is unclear why
there were so many duplicate links saved on the phone. The wipe left most of the
operation system files intact just like the iPhone reset. Table 4 lists some sample files
remaining after the reset that could be interesting for forensic investigations.
File
CACHE/Root/recovery /last_log
SYSTEM/Root /addon.d /blacklist
SYSTEM/Root/etc/apns-conf.xml
SYSTEM/Root/etc /audio_policy.conf
SYSTEM/Root/etc/gps.xml
USERDATA/Root/backup
/pending/journal2114683955.tmp
USERDATA/Root/data/com.android.providers.calendar/database
s/calendar.db
USERDATA/Root/data/com.android.deskclock/databases/alarms.
db
USERDATA/Root/media/0 /amazonmp3/temp/log.txt
USERDATA/Root/media/0/Android/data/com.andrew.apollo/cac
he/ImageCache/3910b1e0ccab19bc46fd9db27cca49c9.0
USERDATA/Root/media/0/iPhone3G.2013-11-07.16-3930/Email/108/478/1256.sql
USERDATA/Root/misc /wifi/softap.conf
USERDATA/Root/system/users/userlist.xml
USERDATA/Root/drm /fwdlock/kek.dat
USERDATA/Root/media/0/And-roid/data/com.dropbox.android
/files/scratch/09thesis_regan.pdf
Table 4.
Description
Recovery log
Four MD5 hash values
Phone carrier IP address
Attached audio devices
listing
GPS settings
Data backup
Calendar data
Alarm data
Log file of Amazon
Cloud Player
Image cache data
Database script of ours,
unclear how it got here
Access point data
User ID information
Lock data
Document of previous
phone user
Sample files from post-wipe Android phone
Some smartphones provide several variations for reset. A “hard reset” can be
performed by using the hardware keys (by a procedure specific to each device). Newer
iPhones provide the additional reset options “Reset All Settings,” “Reset Network
20
Settings,” “Reset Keyboard and Dictionary,” “Reset Home Screen Layout,, and “Reset
Location and Memory”. All of these options were used and a new post-wipe image was
generated. These options deleted an additional 222 files from the phone but did not delete
any files listed in Table 3. The additional reset options did not produce any significant
further deletions.
The hard reset on the Android phone gave an additional option for a “cache reset”.
This option was used and a new post-wipe image was generated just like the iPhone. It
did not delete any text and media files put on the device; it only deleted the sixth file of
the files in Table 4. Four files with the “db” extension were deleted. The reset added an
additional six files (two Bluetooth cache, four “telephony”), but did not do much beyond
the regular reset.
B.
EXPERIMENT AND DATA EXTRACTION
Two sets of smartphones were used for the main experiment. The first set of
Apple iPhone images was created by the UME-36 Pro and UFED Physical Analyzer.
These images were taken from the Real Data Corpus [36], a large-scale forensic corpus.
All images were generated from legally obtained smartphones used by real people. The
second set was of various smartphones (iPhone, Android, Blackberry) that had been used
for other research projects at our school. These phones did not have a SIM card installed
on them. SIM cards contain a unique identification number associated with the user’s
mobile account and contain the phone number, security data and billing information;
phone calls cannot be made without a SIM card, but otherwise the phone will function
normally. A few of the phones came with a custom Android operating system
(CyanogenMod 10.1), a custom aftermarket firmware based on the Android Open Source
Project [37] [38]. The same protocol was used to generate data but no accounts were
associated with the Blackberry phones. A Python script was written to convert the
Cellebrite proprietary XML report format to the forensic metadata standard DFXML [39].
A taxonomy created [40] was used to classify files by extension and directory path. The
full list of smartphones and the status is listed in Table 5.
21
#
I1
I2
I3
I4
I5
I6
I7
I8
I9
A10
A11
A12
A13
A14
A15
A16
B17
I18
I19
B20
B21
A22
A23
A24
A25
I26
A27
p28
Smartphone
Apple iPhone 4
Apple iPhone 4
Apple iPhone 2
Apple iPhone 2
Apple iPhone 2
Apple iPhone 2
Apple iPhone 2
Apple iPhone 2
Samsung Galaxy SIII
Samsung Nexus
Samsung Galaxy Anycall
Motorola Atrix 4G
HTC Droid Eris
HTC Magic
HTC Flyer (tablet)
HTC One
BlackBerry 8900 Curve
Apple iPhone 4S
Apple iPhone 2G
BlackBerry 8100 Pearl
BlackBerry 8300 Curve
Motorola FIRE
Huawei U8500
Huawei U8150 IDEOS Comet
Dell XCD35
Apple iPhone 2
Motorola Charm
LG-500GHL
Table 5.
OS Version
iOS 5.1.1
iOS 5.1.1
iOS 3.1.3
iOS 3.1.3
iOS 3.1.3
iOS 3.1.3
iOS 3.1.3
iOS 3.0
CyanogenMod 10.1
CyanogenMod 10.1
Android 1.5
Android 2.2
Android 2.1
Android 1.6
Android 3.2
Android 4.1
BlackBerry OS 4
iOS 5.1.1
iOS 3.13
BlackBerry OS 4.5.0.174
BlackBerry OS 4.5.0.162
Android 2.3.4
Android 2.1
Android 2.2
Android 2.2
iOS 3.1.3
Android 2.1
Unknown
Readiness
OK
OK
OK
OK
OK
OK
OK
OK
Hard reset
OK
OK
OK
OK
Hard reset
OK
OK
Unusable after reset
OK
Unusable without SIM card
OK
OK
Unrecognized by Cellebrite
OK
Unusable after reset
OK
Unusable after reset
Totally dead
Unrecognized by Cellebrite
Full list of smartphone and status (from [41], [42]).
Table 6 list the total counts of pre-wipe and post-wipe files. A large number of
files were not affected by the reset. There were four types of partial matches between prewipe and post-wipe files (File name and hash, Hash only, File path only, Path ignoring
digits). Several unmatched files were found post-wipe which appear to be new records
created by the operating systems activity and reset feature. The factory reset does not
completely wipe a device. Several files are removed during the reset but others are just
renamed and additional new files are added after the reset.
22
File count type
Total files
iPhone files
Android files
Exact matches pre-wipe and post-wipe
Subsequent matches on filename and hash value but not
all directories
Subsequent matches on hash value alone
Subsequent matches on full path alone
Subsequent matches on full path ignoring digits alone
Remaining unmatched
Table 6.
Pre-reset
349,915
299,058
50,846
140,320
34,228
Post-reset
200,987
176,907
24,058
140,320
36,540
9,269
2,849
6,448
156,801
12,911
2,836
256
8,124
Summary data from 21 smartphones
The file taxonomy was used to further investigate what types of files are being
removed in the reset. The full results are listed in Table 7. Each file path is classified by
file extension (E) and directory name of the file (D). 8,346 extensions and 6,445 directory
names have a classification. The rest are labeled as “miscellaneous”. Extensions that are
longer than 10 characters are ignored.
The reset appears to focus on video and picture images, text documents, copies
and temporary files, disk images, log files, XML documents and gaming applications.
There is a smaller emphasis on database files, compressed data, audio, source code and
data directories. The reset seem to target applications, picture images and temporary files,
but not as focused on long-term user data. The reset does not remove explicitly deleted
and zero-size files (which have no content but do have filename and dates). Zero-size
files may not be useful for the applications, but could provide partial user information.
An empty log file could indicate the user is not using a particular category or parameter
in an application.
A clear time pattern could not be created because the phones were used in various
time periods. The Physical Analyzer software also created some issues while analyzing
the recovered data. Different versions of the Physical Analyzer would produce different
results from the same image. The file access and creation time would be reported
differently depending on the Physical Analyzer version, and the root directory name
would change between two different Physical Analyzer versions.
23
Type of file extension (E) or directory (D)
E: No extension
E: Operating system
E: Graphics
E: Camera pictures
E: Temporaries
E: Web pages
E: Documents
E: Database
E: Spreadsheets
E: Compressed
E: Audio
E: Video
E: Source code
E: Executable
E: Disk image
E: Log
E: Copies and backup
E: XML
E: Configuration
E: Games
E: Miscellaneous
D: Root
D: Operating system
D: Hardware
D: Temporaries
D: Pictures
D: Audio
D: Video
D: Web
D: Data
D: Programs
D: Documents
D: Sharing
D: Security
D: Games
D: Applications
D: Miscellaneous
“.DELETED.” in path(*)
Zero-size files
Table 7.
Pre-wipe
36561
106168
98618
15443
733
1418
3089
5627
425
601
16427
303
1791
3432
13828
599
7347
5193
20788
3741
7307
1012
122625
1128
12141
17950
10812
2570
2714
18300
3616
6211
7500
2953
53722
84593
2046
20087
120112
Post-wipe
21078
104406
27522
3967
159
680
1233
2377
356
278
8313
90
736
2856
1932
73
905
1045
18379
1048
3536
966
117701
319
2928
4328
7814
0
277
9771
2876
1036
2368
2749
0
46696
1126
4181
128026
File type counts before and after the factory reset.
(*) Paths containing the word “.DELETED” were found on the phone.
24
The data collected from the Physical Analyzer are listed in Table 8 and 9. The
Physical Analyzer categorizes each data type and groups.
Phone Data:

Application Usage: Applications name, number of launches, activations,
active time, and date

Call Log: Caller phone number, time stamp, duration, and type
(incoming/outgoing/missed).

Contacts Cookies: Contacts name, organizations, phone number, emails,
other entries, notes, and addresses.

Installed Applications: Application name, version, identifier, App ID,
purchase date, and delete date.

IP Connections: Timestamp, domain, router address MAC address,
Cellular WAN, Device IP, DNS address, and service name.

Locations: Timestamp, position, and name.

Maps: Source, zoom level, and tiles.

Passwords

SMS messages: Timestamp, folder (drafts, inbox, sent), phone number,
text string, and status (unsent, sent, or read).

User Accounts: Name, user name, password, and service type.

User Dictionary: Word, locale, and bookmark note.

Wireless Networks: Last connected, BSSId, SSId, and Security Mode
Data Files:


Picture Images (png, jpg), Audio (wav, mp3), Text (html, txt, xml),
Databases (db, sqlite3, itdb), Configuration (plist), or Application (jar,
apk, ipa).
Name, path, size, metadata, created, modified, accessed, and bookmark
note.
25
Phone Type
Application Usage
Call Log
Contacts
Cookies
Installed
Applications
IP Connections
Locations
Maps
Passwords
SMS Messages
User Accounts
User Dictionary
Wireless
Networks
Images
Audio
Text
Databases
Configurations
Applications
Table 8.
I1
I
0/0
0/0
0/0
0/0
34/34
I2
I
0/0
0/2
0/0
0/0
34/34
I3
I
1/199
0/103
0/209
0/5
23/127
I4
I
0/0
0/0
0/0
0/0
28/34
I5
I
1/125
0/107
0/1461
0/0
23/142
I6
I
1/56
0/104
0/2366
0/43
23/56
I7
I
9/23
0/13
0/0
0/0
0/24
I8
I
0/23
0/105
0/284
0/6
0/79
0/2
0/0
0/0
0/6
0/0
0/0
0/0
0/0
0/2
0/0
0/0
0/5
0/2
1/1
0/1
1/1
0/2
0/1
0/12
0/0
0/30
1/1
0/161
0/1
0/1
0/0
0/0
0/1
0/0
1/1
0/0
0/0
0/0
0/0
0/0
0/0
0/1152
1/1
0/30
0/0
0/1
5/10
0/2
0/0
0/50
1/6
0/312
0/0
0/0
0/0
0/0
0/0
0/0
1/1
0/0
0/0
0/7
0/72
0/19
0/0
0/672
1/3
0/819
0/0
3714/3716 3715/3716 2488/16541 2631/2716 2488/25106 5888/14477 2491/2611 2488/13705
1/1
1/1
2/2512
1/1
2/1202
2/1125
2/2
2/1120
159/161 159/164 11/392
20/34
11/1689
12/67
12/21
12/135
31/38
32/43
13/60
21/50
23/54
12/63
13/24
23/55
2797/2969 2831/2959 1349/4798 1976/2969 1352/6978 1345/2237 1348/1382 1349/10930
6/6
6/10
164/489
227/304 164/458
164/200
164/310 164/670
The number represents user data and system data on smartphones part 1.
(post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry
26
Phone Type
Application Usage
Call Log
Contacts
Cookies
Installed
Applications
IP Connections
Locations
Maps
Passwords
SMS Messages
User Accounts
User Dictionary
Wireless Networks
Images
Audio
Text
Databases
Configurations
Applications
Table 9.
A9
A
0/0
0/0
0/0
0/0
30/30
A10
A
1/139
0/0
0/5
0/3
48/102
A11 A12
A
A
0/0 0/102
0/0 0/52
0/0 0/48
0/0 0/0
25/43 23/32
A13 A14 A15 A16
A
A
A
A
0/0 0/0 0/0 0/0
0/5 0/6 0/0 7/192
0/0 0/2 0/0 0/65
0/0 0/5 0/0 0/0
26/70 20/24 12/44 0/0
I18
B20 B21 A25
I
B
B
A
0/0
0/0
0/0 0/0
0/1
0/100 0/11 0/61
0/0
0/477 0/0 5/252
0/17
0/0 0/0 0/16
34/34
0/0 0/0 0/1
0/0
0/2
0/0 0/3
0/0 0/1 0/0 0/0
1/6
0/0
0/0
0/0
0/5 0/0
0/10 0/0 0/0 0/0
0/0
0/0
0/15
0/5
0/8 0/0
0/0 0/0 0/0 0/0
0/0
0/0
0/0
0/0
0/0 0/1
0/0 0/1 0/1 0/0
5/9
0/0
0/80
0/5
0/0 0/121
0/0 0/2 0/0 0/66
0/0
0/4
1/1
1/1
0/0 0/0
0/1 0/1 0/0 0/1
1/1
0/0
0/132 0/50
0/0 0/84
0/40 0/1 0/0 0/0
0/6
0/0
0/1
0/1
0/0 0/1
0/0 0/0 0/1 0/0
3/7
0/0
150/150 764/764 11/11 1815/1815 42/42 15/15 9/9 616/616 3716/3743 0/7
1/1
1/1
1/1 1/1
0/0 2/2 2/2 82/82 1/1
0/1
130/130 48/48 0/0 132/132 1/1 0/0 4/4 1/1
243/263 0/0
5/65
12/45 0/0 25/41
0/0 10/24 0/0 16/36 37/58
0/0
0/0
0/0
0/0 0/0
0/0 0/0 0/0 0/0 2850/2953 0/0
0/0
313/313 0/0 7/7
3/3 1/1 24/24 0/3
6/6
0/0
0/0 0/0
0/0 0/9
0/0 0/0
0/0 0/1
0/0 0/76
0/0 0/2
0/0 0/2
0/0 0/1
0/3 71/159
0/0 1/1
0/0 440/3031
0/0 24/55
0/0 0/0
0/0 388/390
The number represents user data and system data on smartphone part 2
(post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry
27
C.
ISSUES WITH THE SMARTPHONES
The factory reset was performed without any problems on most of the
smartphones. However, on the HTC Magic (A14) and Samsung Galaxy SIII (A9) the
smartphones locked up after the reset. The HTC Magic was running a standard Android
1.6 operating system and the Samsung Galaxy SIII was running a custom CyanogenMod
10.1 operating system. A hard reset on the HTC Magic and a custom reset had to be
performed on the Samsung Galaxy SIII running CyanogenMod 10.1 to recover normal
operations. Holding down the volume up button and the power button at the same time
performs a hard reset, but does not remove any applications or user data from the
smartphone. After the hard reset the factory reset did not cause any further problems. The
cause of the lockup could not be determined.
The factory-reset on the BlackBerry 8900 Curve (B17), Huawei U8150 Comet
(A24) and Apple iPhone 2 (I26) made the devices unusable after the restart. The device
could not be properly restarted or became unstable. The Motorola Charm (A27) could not
be charged or booted and appeared to be unusable.
The HTC Eris (A13) could not be properly processed without a micro SD card
and installed on the phone. The Apple iPhone 2G (I19) could not be used without a SIM
card. Both the UME36-Pro and UFED Physical analyzer returned an error when there
was no micro SD or SIM card in the phone. A compatible micro SD/SIM card was not
available at the time of the experiment. These two phones were the only ones that
produced this error. The cause of the error could not be determined.
The Motorola FIRE (A22) and LG-500GHL (p28) was not recognized by
Cellebrite. The Motorola FIRE is running the Android OS 2.3.4 and is officially
supported by UFED Touch Ultimate. The LG-500GHL is a prepaid phone with a
proprietary operating system by LG. None of the forensics tools tested was able to
identify or extract data from these phones. This could be due to the proprietary operating
system installed on the LG phone.
28
The HTC One returned the same results for most of the tools tested. There is an
important difference between the HTC One and the other smartphones used in this
project. When a smartphone is connected (via USB) to a computer system it is mounted
as a USB mass storage device. The HTC One and several newer Android phones (4.0 and
up) are connected using a different protocol developed by Microsoft called the Media
Transfer Protocol (MTP) [43]. The computer sees the attached smartphone as a media
player while connected with MTP. The different mounting protocols created conflict with
the forensics tools used for this project. However, during this research project we were
able to gain access to a newer Cellebrite hardware solution, the Cellebrite UFED Touch
Ultimate [44], an updated version of the UME-36 Pro. It provides a touchscreen interface
with Windows XP running as the base operating system. It provides the same
functionality with a wider range of supported mobile devices. The UFED Touch Ultimate
is capable of extracting data from MTP devices and was used for the HTC One (A16).
D.
DATA ANALYSIS WITH THE PHYSICAL ANALYZER
A list of extracted data was created and viewed in the Physical Analyzer
application. All phones listed in Table 8 and 9 were used (Android, IPhone, BlackBerry).
Phone data (traditional telephone usage information) in both sets was almost completely
removed after a factory reset, including:

Call log

Contacts

Cookies

IP connections

SMS

Maps

Password

User directory
Application Usage data were limited to system applications and did not contain
any user information. System applications are indicated by the identifier com.apple.XX
for iOS and com.google.XX for Android. A list is generated by the Physical Analyzer.
29
Installed Applications data left on the phones were default first-party applications
such as maps, YouTube, mobile mail, calculator, weather, preferences, and mobile notes.
The same system application identifiers were used to verify first-party applications. There
were no third-party applications left on the phones after a factory reset. However, the
number of installed applications on post-wipe phones varied. The Physical Analyzer
could not identify any user-installed applications on the I7 and I8 iPhones after the
factory reset. The system applications and first-party applications are not supposed to be
removed after a factory reset. The Physical Analyzer showed zero entries after the wipe.
This means the UME-36 Pro could not properly identify the applications. The reasons are
unknown as to why the UME-36 Pro failed to identify the installed applications.
Location data were only left on the I6: Apple iPhone 2. The data contained
latitude and longitude (18.47717, 73.87550 – Pune, India) information for a cell tower
and a time stamp (3/24/2011 7:44:24AM). This can be considering sensitive user
information since it reveals the time, date, and location of where the user has been.
User Accounts and Wireless Networks data was recovered from a number of
phones but it did not contain any identifiable information. Entries were listed in the
Physical Analyzer but it did not contain any data (user name, email, BSSId, SSId,
password). It identified a previously existing account, but could not recover any
additional user or network data. The account information could have been encrypted or
encoded after the reset.
JPEG and PNG image files were not removed from any of the Android phones by
the factory reset. All picture images (downloaded, camera, and browser thumbnails) are
supposed to be removed after a reset. All picture images were left on those phones
untouched and were still viewable within the smartphone. The 6 images added before the
reset was also left untouched and viewable in the smartphone. The iPhones did a better
job at wiping the images and none of the image files including thumbnails were viewable
after the factory reset. However, the metadata (name, file path, size, created, modified,
accessed) for the images were still viewable in the Physical Analyzer.
Audio data was not removed from any of the Android set, including .wav audio
files from applications and user-downloaded files (.mp3). The iPhone set deleted most of
30
the audio files, but some .wav files were still recoverable. The files recovered from the
iPhones included system audio files (e.g. ring tones) and notification sound clips that had
been installed by third-party software. All recovered audio files could be played back on
a media player.
Text data were not removed from any of the Android set. The file types that were
recognized as data were files with .txt and .xml extensions. The iPhones did delete some
text files, but the same types of files were recovered. Recovered .xml files contained
readable string data such as domain names and IP addresses associated with user
activities. Text files contained various notes or memos created by the user.
Database data (.db, sqlite, .sql) recovered from both sets contained no data. The
results were similar to the user accounts data and wireless network data. The metadata
(name, file path, size, creation time, modification time, and access time) was viewable
after the factory reset but no data was stored in the files.
Configuration data recovered from the iPhones only contained system-file access
data. The access information appears to be the same data as the Applications files. Data
was not recoverable from any of the Android set, but this could be due to the fact that the
same information is already in the Applications files. The recovered data did not contain
any user information.
Applications data only contained information from first-party software installed
on the phone. The data contained various framework, library, and plug-in information for
system software. No user data was stored in the applications files. The application data on
the A16 Android phone contained user account information before the wipe. The
Physical Analyzer labeled it as installed applications. This was the only data that was
mislabeled. The data was cleared after a reset and did not contain any user account
information. It is unclear why the Physical Analyzer mislabeled this information.
Each file that contained user-generated data was counted and summarized in
Table 10 and Table 11. The numbers indicate the total number of files found with user
data.
31
Data Files:
Images
Audio
Text
Databases
Configurations
Applications
I1
I2
I3
I4
I5
I6
I7
I8
0
0
1
0
0
0
0
0
2
0
0
0
0
1
5
0
0
0
0
0
7
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
Table 10.
User data files found in the smartphones part 1
A9 A10 A11
Data Files:
Images
Audio
Text
Databases
Configurations
Applications
5
0
1
0
0
0
61
0
4
0
0
0
Table 11.
E.
10
0
1
0
0
0
A12
1698
0
7
0
0
0
A13 A14 A15 A16 I18 A20 B21 A25
42
0
0
0
0
0
15
2
0
0
0
0
5
0
1
0
0
0
616
15
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
6
0
4
0
0
0
User data files found in the smartphones part 2
STRING SEARCHING WITH LINUX GREP COMMAND

String searching was used for additional analysis of recovered files.
During the analysis process with the Physical Analyzer, we searched for
some keywords of interest in data files:

password

root certificate

hash

cert

SHA1

MD5

SSL
The standard Linux grep [45] command was used to search for the keywords.
32
The A10 Android phone was the only one that returned a value with the
“password” keyword, and this should have been deleted by the factory reset. This is one
of the phones with a custom CyanogenMod 10.1 installed. An .xml file under the
Cyanogen system directory contained several entries with website URLs and user names
with passwords stored in clear text that should have been deleted. The other phones did
not contain any password information. All phones returned at least one file that contained
the “root certificate” phrase. The files contained characters varying in length between
115-144. It is unclear if this is the default trusted certificate installed with the operating
system or if it is part of third-party software that used certificates. In the latter case the
data should have been deleted. The information included in the files could not be
identified as user data. Searches for the strings “hash”, “cert”, “SHA1”, “MD5”, and
“SSL” did not return any significant results. These keywords only occurred in
configuration files, which did not contain any user data.
Searching for the “hash” keyword did not return anything significant, but
searching for “HASH” returned some interesting results. The “HASH” keyword still
occurred in configuration files for iPhones but the files were always associated with an
application called Rocky Racoon on the iPhones I3, I4, I5, I6, I7, and I8. This application
is used exclusively with jailbroken iPhones [46]. Jailbreaking is the process of using a
hardware or software exploit to break the restrictions on the iPhones file system [47]. A
jailbroken iPhone grants the user root access to the iOS operating system. Once the
iPhone is jailbroken it can be freely modified. The user can install unauthorized thirdparty applications, plugins and themes on the iPhone. It also allows the user to switch
mobile carriers without any restrictions. Jailbreaking a phone also exposes the user to
various security risks. Unauthorized software runs the risk of damaging or disabling the
iPhone. This may have affected the data on the iPhones. It is not clear if these iPhones
have been jailbroken. However, there is a high chance they were since the Rocky Racoon
software is only used with jailbroken iPhones.
33
F.
DATA ANALYSIS WITH BULK EXTRACTOR
The Bulk Extractor tool (Ver. 1.4.1: Windows installer with GUI) was used to
verify some of the user data generated from the experiment procedures. The smartphone
images created from the physical extraction process (.ufd) were not compatible with Bulk
Extractor and needed to be converted. A full dump of the file system was created from
the .ufd images using the Physical Analyzer. Each .ufd image generated a directory of
files, which was run on the Bulk Extractor.
The ‘url_histogram.txt’ generated by the extractor showed that all website
(youtube.com, facebook.com, reddit.com, faculty.nps.edu) links were deleted in the reset.
Duplicate links for the four visited websites (nps.edu, fark.com, yahoo.com, npr.org)
were found in various files on pre-wipe iPhones. It is unclear why there were duplicate
links saved on iPhones. None of the other phones contained multiple copies of the same
links.
Preference and configuration files (.plist) were recovered from most of the phones
except for the BlackBerry phones (B20, B21) after the reset. None of the files contained
user information. Setting information was checked in the ‘json.txt’ file generated by the
extractor.
The zip file uploaded to the root directory ‘testschwamm_userdata.zip’ was not
deleted from any of the Android phones and the text file ‘testschwamm_password.txt’
can be viewed in the ‘zip.txt’ generated by the extractor.
During the keyword search several files containing the word ‘DELETED’
appeared in the ‘Feature File’ results window. The Bulk Extractor displayed some text
files (.txt) that included the word ‘DELETED’ as part of the file name. None of these
files contained any readable data and were all located at the top-level directory. The
Physical Analyzer could not find any of these tagged files. It became clear that further
investigation was needed to determine if any more user-generated data were not properly
identified by the Physical Analyzer. The following common file extensions [48] were
34
used for a string search against the full file system dump. The same grep command was
used to search for these common file extensions.

Text files (doc, docx, log, msg, odt, pages, rtf, tex, txt, wpd, wps)

Data files (csv, dat, gbr, ged, ibooks, key, keychain, pps, ppt, pptx, sdf,
tar,

tax2012, vcf, xml)

Audio files (aif, iff, m3u, m4a, mid, mp3, mpa, ra, wav, wma)

Video files (3g2, 3gp, asf, asx, avi, flv, m4v, mov, mp4, mpg, rm, srt, swf,
vob

, wmv)

3D image files (3dm, 3ds, max, obj)

Raster image files (bmp, dds, gif, jpg, png, psd, pspimage, tga, thm, tif,
tiff, yuv)

Vector image files (ai, eps, ps, svg)

Page layout files (indd, pct, pdf)

Spreadsheet files (xlr, xls, xlsx)

Database files (accdb, db, dbf, mdb, pdb, sql)

Executable files (apk, app, bat, cgi, com, exe, gadget, jar, pif, vb, wsf)

Game files (dem, gam, nes, rom, sav)

CAD files (dwg, dxf)

GIS files (gpx, kml, kmz)

Web files (asp, aspx, cer, cfm, csr, css, htm, html, js, jsp, php, rss, xhtml)

Plugin files (crx, plugin)

Font files (fnt, fon, otf, ttf)

System files (cab, cpl, cur, deskthemepack, dll, dmp, drv, icns, ico, lnk,
sys)

Settings files (cfg, ini, prf)

Encoded files (hqx, mim, uue)

Compressed files (7z, cbr, deb, gz, pkg, rar, rpm, sitx, tar.gz, zip, zipx)

Disk image files (bin, cue, dmg, iso, mdf, toast, vcd)

Developer files (c, class, cpp, cs, dtd, fla, h, java, lua, m, pl, py, sh, sln

, vcxproj, xcodeproj)
35

Backup files (bak, tmp)

Miscellaneous files (crdownload, ics, msi, part, torrent)
Each extension was used as a search term against both sets of smartphones. All
files that matched the keywords were checked for user data. The numbers include both
user data and system data (Table 12 & 13).
Text Files
Data Files
Audio Files
Video Files
3D Image Files
Raster Image
Files
Vector Image
Files
Page Layout Files
Spreadsheet Files
Database Files
Executable Files
Game Files
CAD Files
GIS Files
Web Files
Plugin Files
Font Files
System Files
Settings Files
Encoded Files
Compressed Files
Disk Image Files
Developer Files
Backup Files
Misc Files
I1
54/55
406/406
2007/2007
0/0
0/0
71/71
I2
54/55
403/406
2007/2007
0/0
0/0
71/71
I3
8/252
73/355
20/2673
0/9
0/0
3/54
I4
20/53
115/91
20/63
0/0
0/0
2/4
I5
12/148
73/1501
20/1298
0/9
0/0
2/2
I6
8/40
73/107
20/1162
0/95
0/0
2/2
I7
8/11
73/73
20/20
0/0
0/0
2/2
I8
15/50
73/147
20/1190
0/9
0/0
2/4
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
18/18
0/0
79/80
3/3
2/2
0/0
0/0
211/211
0/0
66/66
5/5
0/0
0/0
2/2
87/87
18/18
0/0
0/0
18/18
0/0
80/87
3/3
2/2
0/0
0/0
212/212
0/0
66/66
6/6
0/0
0/0
2/2
87/87
19/19
0/0
0/0
7/28
0/0
15/52
2/10
2/5
0/0
0/0
13/13
0/0
56/56
2/2
0/2
0/0
7/7
8/339
1/10
0/0
0/0
14/14
0/0
60/60
2/6
2/2
0/0
0/0
14/14
0/0
47/47
2/2
0/0
0/0
0/1
14/14
1/9
0/0
0/0
7/7
0/1
15/47
2/5
2/4
0/0
0/0
12/13
0/0
56/56
2/2
0/4
0/0
0/5
8/119
1/17
0/0
0/0
7/26
0/1
14/51
2/4
2/2
0/0
0/0
12/12
0/0
56/56
2/2
0/38
0/0
0/1
8/35
1/1
0/0
0/0
7/7
0/0
15/16
2/2
2/2
0/0
0/0
12/12
0/0
56/56
2/2
0/0
0/0
0/1
8/8
1/7
0/0
0/0
7/13
0/0
15/58
2/6
2/2
0/0
0/0
12/12
0/0
56/56
2/2
0/1
0/0
0/1
8/59
1/11
0/0
0/0
Table 12.
Search result (post-wipe/pre-wipe) part 1
36
Text Files
Data Files
Audio Files
Video Files
3D Image Files
Raster Image Files
Vector Image Files
Page Layout Files
Spreadsheet Files
Database Files
Executable Files
Game Files
CAD Files
GIS Files
Web Files
Plugin Files
Font Files
System Files
Settings Files
Encoded Files
Compressed Files
Disk Image Files
Developer Files
Backup Files
Misc Files
A9
1/1
0
0/0
0/0
0/0
5/5
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
A10
14/14
50/50
1/1
5/5
0/0
716/716
0/0
0/0
0/0
0/0
95/95
1/1
0/0
0/0
4/4
0/0
39/39
3/3
1/1
0/0
22/22
15/15
10/15
13/13
0/0
A11
1/1
0/0
1/1
0/0
0/0
11/11
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Table 13.
A12
141/142
66/66
68/68
6/6
0/0
1938/1938
0/0
39/39
0/1
0/0
7/7
0/0
0/0
69/69
0/0
0/0
1/1
0/0
0/0
0/0
20/20
0/0
22/22
24/25
0/1
A13
0/0
1/1
0/0
10/10
0/0
42/42
0/0
0/0
0/0
0/0
3/3
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
6/6
0/0
0/0
0/0
0/0
A14
0/0
0/0
2/2
5/5
0/0
15/15
0/0
0/0
0/0
0/0
1/1
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
A15
1/1
0/0
0/0
0/0
0/0
5/5
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
A16
0/0
0/0
0/0
0/0
0/0
616/616
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
I18
54/55
406/406
2007/2007
0/0
0/0
71/71
0/0
18/18
0/0
80/87
3/3
2/2
0/0
0/0
212/212
0/0
66/66
6/6
0/0
0/0
2/2
87/87
19/19
0/0
0/0
Search result (post-wipe/pre-wipe) part 2
37
A20
0/0
0/0
0/0
0/0
0/0
0/7
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
A21
0/0
0/0
0/0
0/0
0/0
0/3
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
A25
66/552
374/2479
1/1
0/0
0/0
70/88
0/0
0/0
0/0
0/0
75/77
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
3/3
0/0
12/12
177/1018
0/0
No files with the keyword “DELETED” were found in any of the iPhones, only
on the Android smartphones. Most of the tagged files were text files, but some were zip
archives, Adobe PDF, MP4 video, and Microsoft Office files. All files containing the
keyword “DELETED” were unreadable and did not include any user data.
User-generated Word and Excel files were found as email attachments on the prewipe iPhones (I4, I5, I8) but these files were properly deleted post-wipe. A significant
amount of user-generated files were recovered from two of the post-wipe Android
smartphones (A10, A12). Both included Adobe PDF files, Microsoft Word files,
Microsoft Excel files, MP4 Video files and zip archives. All of these files were usergenerated and contained sensitive information (user name, phone number, email address,
and personal-video footage). Some of these personal files were located at the top-level
directory just like the tagged files. However, most of them were found in the directory
‘\data\com.dropbox.android\file\scratch’. The A10 Android phone contained several
documents under this directory. Dropbox is third-party software that is installed by the
user and is used as a file hosting service for various platforms. The software client creates
a local folder that can be synchronized across multiple platforms. Files that are placed in
the folder are synced over the network through Dropbox servers [49]. None of the user
data appears to have been deleted from the Dropbox folder. The same number of files
was found in this directory pre-wipe.
G.
DISCUSSION
The reset did a good job of removing user-account and Wi-Fi information
associated with the phones. However, it did not fully remove photo images, audio files,
text files, website login information, and geolocation data.
The UME-36 Pro and Physical Analyzer was able to collect a large variety of data
after the factory reset. The tool was able to recover several files containing user data or
user generated text files. There were 20 files recovered from the iPhones and 2483 files
recovered from the Android phones. These are the total number of files that Cellebrite
was able to identify. Text and audio files were recovered from several iPhones. Other
38
kinds of user data were left behind on some of the Android phones, including audio, text,
and picture files. Many remaining pictures were still viewable, and some remaining
audio files could still be played back.
The string search using the grep command found one xml file on an Android
phone. The xml file contained user login and password information. The Cellebrite tools
did not identify this xml file. No additional files were found from the iPhone set using
this method.
The Bulk Extractor helped uncover several text files that were not identified by
Cellebrite or the string search. An additional 157 user files were recovered from the
Android phones. Some files were left behind by third-party applications such as Dropbox.
The reset removed the applications but some user data was left behind in the installed
directory. These files were Microsoft Office files (Word, Excel), Adobe PDF’s and MP4
video files. Bulk Extractor did a better job of finding email addresses, fax numbers and
phone numbers within files. However, the additional information was almost always
found in manuals, acknowledgements, service agreements, and support information for
system software. It was not personal user information but developer contacts (@tech,
@helpdesk) and tech support (1-800 numbers). Several text files could be viewed with a
standard text viewer. Some files contained IP addresses and domain names. Geolocation
data was found along with timestamps, enabling a view of the locations the phone has
been used. No additional files were discovered on the iPhones.
Cellebrite identified that 59% of the files were removed from iPhones and 47% of
the files were removed from Android phones after a reset. The percentage is calculated
from the total number of files pre-wipe and post-wipe. It is based off of the total number
of files identified and listed by the forensics tools. All files identified by both tools were
manually analyzed and counted.
39
THIS PAGE INTENTIONALLY LEFT BLANK
40
V.
A.
CONCLUSIONS AND FUTURE WORK
CONCLUSION
The main goal of this thesis was to analyze residual user data on smartphones
after a factory reset. A total of 21 smartphones were used to test the effectiveness of the
reset. The experiment was successful in extracting residual user data from the
smartphones. The data showed that factory resets do not remove all user information. A
factory reset is not a complete wipe of the device. It appears to only remove files that the
operating system deems as user generated. If this is the case the reset feature does not
properly categorize user information. Anybody who has access to commercial forensics
tools could collect user data from smartphones. This can be a major problem for some
organizations. The military and the active duty members use smartphones on a daily basis
and deal with sensitive information. This can become a serious security issue and needs
to be addressed. There are also many challenges for digital forensics investigations. There
is a large variability in the number and types of files that are recoverable from
smartphones. An investigator may not be able to find the specific file or evidence needed
for the case even when much personal information remains. A large data set can be
recovered from a phone, but these data files might be files that already existed on the
device. At the same time, not finding files does not mean evidence is not present on the
device. The files could be unrecoverable by a single forensic tool and a single experiment
may not be enough to recover all the evidence. Multiple experiments and forensics tools
should be used to distinguish a wide range of files and evidence.
B.
RECOMMENDED PROCEDURES
We conclude that a “factory reset” as currently implemented is insufficient for
removing personal data on today’s smartphones. The user wanting to remove all such
data should take the following steps.
Delete cache files, browser history files, and browser cookies. Usually this can be
done through the smartphone settings menu.
41
Manually uninstall all third-party software and review its directories for residual
user data since a “factory reset” does not generally affect it. Be especially careful with
off-site backup software such as Dropbox which often store a considerable amount of
personal data of a user.
Perform a “factory reset” for the smartphone.
Check possible locations of remaining copies of personal files, and delete any
such files that are found, since generally a user file that has been manually copied or
moved to a top-level or user-created directory will not be erased during a reset.
Search for remaining personal user files by their common extensions (such as
“doc”, “txt”, and “mp3”) and delete them. A file explorer application can be used to find
these files.
Overwrite deleted data and possibly unused drive storage with specialized
software. Zeroing out will overwrite free space where deleted files are stored. This will
prevent deleted files from being recovered.
In addition, the criticality of these steps can be reduced if the smartphone is
password-protected and uses OS-level encryption on files. Encryption will eliminate the
sensitivity of the data to which it is applied, and passwords will make it harder to access
data of other users. The Apple iPhone and Google Android phone provide both of these
with their smartphones.
C.
FUTURE WORK
Possible additional work can be done:

A larger and more diverse set of smartphones (including Blackberry,
Windows Phone, Firefox OS, and Ubuntu Edge) could help provide a
better overview of the strength and weaknesses of a factory reset. The new
Cellebrite UFED Touch hardware supports a larger range of smartphones
and is compatible with MTP.

Several forensics tools were tested but not used for this project. Testing
other tools against Cellebrite and creating a cross reference between
different tools may produce more reliable data.
42

This thesis did not explore password protection or encrypted data types.
Additional research can be conducted on the effectiveness of various
encryption types. These data types may require additional tools or special
techniques to decipher. It can create a unique challenge for forensics
research.

Other security techniques can be tested for user-data protections. Several
software programs (iErase [50], SHREDroid [51]) claim to completely
erase the internal flash memory of a smartphone. The effectiveness of
these can be tested and compared against the finding from this paper.

A targeted analysis can be done on third-party software solutions. Backup
software solutions can be further investigated. The research should focus
on residual data left by third-party software after a factory reset.
43
THIS PAGE INTENTIONALLY LEFT BLANK
44
LIST OF REFERENCES
[1]
comScore. (2014, Feb. 3). “Reports December 2013 U.S. smartphone subscriber
market share.” [Online]. Available:
http://www.comscore.com/Insights/Press_Releases/2014/2/comScore_Reports_D
ecember_2013_US_Smartphone_Subscriber_Market_Share
[2]
Nokia Corporation. (2013, Jan. 24). “Q4 and full year 2012 interim report”
[Online]. Available:
http://www.results.nokia.com/results/Nokia_results2012Q4e.pdf
[3]
Micron Technology, Inc. (2013, Apr.). “Micron technical note, NAND Flash 101;
an introduction to NAND Flash and how to design it in to your next product,”
TN-29-19: NAND Flash 101 pp.1-2 [Online]. Available:
https://www.micron.com/~/media/Documents/Products/Technical%20Note/NAN
D%20Flash/tn2919_nand_101.pdf
[4]
Google Inc. (2013, Jan.) “Mobile internet & smartphone adoption, Google,
January 2011” [Online]. Available:
http://services.google.com/fh/files/blogs/Google_Ipsos_Mobile_Internet_Smartph
one_Adoption_Insights_2011.pdf
[5]
TechMedia Network. (2013). “TopTenReviews: 2013 Best Mobile Encryption
Software Reviews and Comparisons” [Online]. Available:
http://mobile-encryption-software-review.toptenreviews.com/
[6]
Apple. (2013, July. 8). “iOS: Understanding ‘Erase all content and settings”
[Online]. Available:
http://support.apple.com/kb/ht2110s
[7]
Google. (2013). “Manage my devices”[Online]. Available:
https://support.google.com/a/users/answer/1235372?hl=en
[8]
M. Honan. (2013, Apr. 1). Break out a hammer: You’ll never believe the data
‘wiped’ smartphones store. Wired [Online]. Available:
http://www.wired.com/gadgetlab/2013/04/smartphone-data-trail/all/
[9]
J. Smith. (2012, Sept. 13). “Security guru: don’t sell your Android phone until
turning it into Swiss cheese.” GottaBeMOBILE: Mobile News & Reviews [Online].
Available:
http://www.gottabemobile.com/2012/02/27/security-guru-dont-sell-your-androidphone-until-turning-it-into-swiss-cheese/
45
[10]
The Guardian. (2013). “Recycled mobile phones retain previous owner data,”
[Online]. Available:
http://www.theguardian.com/media-network/partner-zone-infosecurity/mobilephones-previous-owner-data
[11]
G. S. Cardwell. “Residual network data structures in Android devices”, M.S.
thesis, Comp. Science Dept., Naval Postgraduate School, California, 2011.
[Online]. Available:
http://www.dtic.mil/cgibin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA552175
[12]
J. Lyle. (2010, Feb. 25). “Computer Forensics Tool Testing (CFTT),” The
National Institute of Standard and Technology, Gaithersburg, MD. [Online].
Available:
http://www.nist.gov/itl/ssd/cs/forensics-tool-testing.cfm
[13]
Computer Forensics Tool Testing Handbook, Computer Forensics Tool Testing
Program, Office of Law Enforcement Standard, National Institute of Standard and
Technology. Gaithersburg, MD. Feb. 1, 2012. [Online]. Available:
http://www.cftt.nist.gov/CFTT-Booklet-Revised-02012012.pdf
[14]
M. M. Saudi. “An Overview of Disk Imaging Tool in Computer Forensics,”
SANS Institute, Bethesda, MD, 2001. [Online]. Available:
http://www.sans.org/reading-room/whitepapers/incident/overview-disk-imagingtool-computer-forensics-643
[15]
GNU Operating System, Coreutils - GNU core utilities. Free Software Foundation.
Feb. 14, 2013. [Online]. Available:
http://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html
[16]
B. Carrier. “Hard disk data acquisition” in File System Forensic Analysis. Pearson
Education, Upper Saddle River, NJ, pp. 53–55. 2005.
[17]
S. Garfinkel. “Forensic feature extraction and cross-drive analysis” in Proc. the
Sixth Annual DFRWS Conference, 2006, pp. 71-81 [Online]. Available:
http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf
[18]
N. L. Beebe, and J. G. Clark. “Digital forensic text string searching: Improving
information retrieval effectiveness by thematically clustering search results” in
Proc. of the Seventh Annual DFRWS Conference, 2007, pp 49–54. [Online].
Available:
http://www.dfrws.org/2007/proceedings/p49-beebe.pdf
[19]
K. Amari. (2009, Mar. 26). Techniques and tools for recovering and analyzing
data from volatile memory, SANS Institute, Bethesda, MD. [Online]. Available:
http://computer-forensics.sans.org/community/papers/gcfa/techniques-toolsrecovering-analyzing-data-volatile-memory_3609
46
[20]
A. Pal, and N. Memon. (2009, Mar.). The evolution of file carving: The benefits
and problems of forensics recovery. IEEE Signal Processing Magazine [Online].
Available:
http://digital-assembly.com/technology/research/pubs/ieee-spm-2009.pdf
[21]
T. Vidas, C. Zhang and N. Christin. “Toward a general collection methodology
for Android devices” in Proc. of the Eleventh Annual DFRWS Conference, Aug.
2011 [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S1742287611000272
[22]
P. Owen, P. Thomas, and D. McPhee. “An analysis of digital forensic
examination of mobile phones” in Proc. 4th Intl. Conf. on Next Generation
Mobile Applications Services and Technologies, July 2010. [Online]. Available:
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5558244&url=http%3A%
2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5558244
[23]
F. Marturana, G. Me, R. Berte, and S. Tacconi. “A quantitative approach to
triaging in mobile forensics” in Proc. 2011 International Joint Conference of IEEE
TrustCom- in Changsha, China, 2011. [Online]. Available:
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6120868&url=http%3A%
2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6120868
[24]
S. Omeleze, and H. Venter. “Testing the harmonized digital forensic
investigation process mode using an Android mobile phone” in Proc. on
Information Security for South Africa. 2013, Aug. [Online]. Available:
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6641063&url=http%3A%
2F%2Fieeexplore.ieee.org%2Fiel7%2F6621627%2F6641027%2F06641063.pdf
%3Farnumber%3D6641063
[25]
O. Afonin, and Y. Gubanov. (2013, May). Catching the ghost: how to discover
ephemeral evidence with Live RAM analysis, DFI Magazine [Online]. Available:
http://forensic.belkasoft.com/en/live-ram-forensics
[26]
UME-36Pro User Manual - Universal Memory Exchanger for Mobile Phones.
Cellebrite Mobile Synchronization Ltd, Parsippany, NJ, 2007. [Online]. Available:
http://www.cellebrite.com/images/stories/support%20files/UME36_Manual.pdf
[27]
UFED User Manual Version 1.1.9.7. Cellebrite Mobile Synchronization Ltd. ,
Parsippany, NJ, Mar. 2012 [Online]. Available:
http://www.ume-update.com/UFED/UFED%20User%20Guide_June.pdf
[28]
UFED Physical Analyzer Manual. Cellebrite Mobile Synchronization Ltd.,
Parsippany, NJ, Nov. 2012 [Online]. Available:
https://www.cellebrite.com/images/stories/support%20files/UFED_PA_Manual.p
df
47
[29]
Cellebrite Mobile Synchronization Ltd. (2013). UFED Phone Detective [Online].
Available:
http://www.cellebrite.com/mobile-forensic-products/ufed-applications/ufedphone-detective.html
[30]
Digital Corpora. (2013). Bulk Extractor [Online]. Available:
http://digitalcorpora.org/downloads/bulk_extractor/
[31]
S. Garfinkel. (2013, Feb.) “Digital media triage with bulk data analysis and
bulk_extractor” in Computer & Security 32. [Online]. Available:
http://simson.net/clips/academic/2013.COSE.bulk_extractor.pdf
[32]
ViaForensics. (2013). ViaExtract [Online]. Available:
https://viaforensics.com/products/viaextract/
[33]
Oxygen Forensics, Inc. (2013). Oxygen Forensic Suite 2013 [Online]. Available:
http://www.oxygen-forensic.com/en/
[34]
Piriform. (2013). Recuva [Online]. Available:
http://www.piriform.com/recuva
[35]
H. Zhu, E. Chen, H. Xiong, K. Yu, H. Cao, and J. Tian. “Mining mobile user
preferences for personalized content recommendation,” ACM Transactions on
Intelligent Systems and Technology, 2014.
[36]
S. Garfinkel. P. Farrell. V. Roussev, and G. Dinolt. “Bringing science to digital
forensics with standardized forensic corpora” in Proc. of the Ninth Annual
DFRWS Conference. 2009. [Online]. Available:
http://www.dfrws.org/2009/proceedings/p2-farfinkel.pdf
[37]
CyanogenMod, LLC. (2013). CyanogenMod 10.1 [Online]. Available:
http://www.cyanogenmod.org/
[38]
Google Inc. (2013). Android open source project [Online]. Available:
http://source.android.com/
[39]
S. Garfinkel. (2011, Sept. 3). Digital Forensics XML and the DFXML Toolset
[Online]. Available:
http://simson.net/ref/2011/dfxml.pdf
[40]
N. Rowe. (2012, Aug.). “Testing the National Software Reference Library” in
Digital Investigation, 9, pp. S131–S138. [Online]. Available:
http://www.dfrws.org/2012/proceedings/DFRWS2012-14.pdf
[41]
Everyi.iPhone Specs. (2013, Sep. 16). Every iPhone: iPhone specs, answers,
comparison & more [Online]. Available:
http://www.everymac.com/systems/apple/iphone/index-iphone-specs.html
48
[42]
Arena Com Ltd. (2013). GSM arena [Online]. Available:
http://www.gsmarena.com/
[43]
B. Manders, and D. Mathieu. (2005). Media transfer protocol implementation
details [Online]. Available:
http://download.microsoft.com/download/9/8/f/98f3fe47-dfc3-4e74-92a3088782200fe7/TWMD05003_WinHEC05.ppt
[44]
Cellebrite Mobile Synchronization Ltd. (2013). UFED touch ultimate: Allinclusive mobile forensics solution [Online]. Available:
http://www.cellebrite.com/mobile-forensics/products/standalone/ufed-touchultimate
[45]
The Open Group Base Specifications Issue 7 in IEEE Standard 1003.1, 2013
Edition. 2013. [Online]. Available:
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/grep.html
[46]
F. Truta. (2012, May. 29). “Revised iOS 5.1.1 Jailbroken with Rocky Racoon 1.02.” Softpedia [Online]. Available:
http://news.softpedia.com/news/Revised-iOS-5-1-1-Jailbroken-with-RockyRacoon-1-0-2-272368.shtml
[47]
C. Miller, D. Blazakis, D. D. Zovi, S. Esser, V. Iozzo R. P Weinmann.
“Jailbreaking” in iOS Hacker’s Handbook. John Wiley & Sons, Inc. pp.297-325.
2012, May. 8.
[48]
Common File Types. (2013). The Central File Extensions Registry. FileInfo.com
[Online]. Available:
http://www.fileinfo.com/filetypes/common
[49]
Dropbox, Inc. (2013). “How does the Dropbox service work?” [Online].
Available:
https://www.dropbox.com/help/1968/en
[50]
Jonathan Zdziarski’s Domain. (2009). iErase [Online]. Available:
http://www.zdziarski.com/blog/?page_id=407
[51]
infsyssec. (2011). SHREDroid [Online]. Available:
https://play.google.com/store/apps/details?id=ch.ethz.infsyssec.sddroid&hl=en
49
THIS PAGE INTENTIONALLY LEFT BLANK
50
INITIAL DISTRIBUTION LIST
1.
Defense Technical Information Center
Ft. Belvoir, Virginia
2.
Dudley Knox Library
Naval Postgraduate School
Monterey, California
51
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising