It’s obviously superflous to stress how much mobile forensics has become an important part of today’s digital forensics: mobile phones and other mobile devices like the tablet PCs are almost ubiquitus. As any forensic analyst know, however, mobile forensics presents its own set of problems, quite different from the aquisition and analysis of “normal” PCs: generally closed and proprietary systems, vendor-specific OSs, always-on devices, even proprietary physical connections…
Mobile forensics tools evolved from end-user targeted software like backup and phonebook import-export tools to today’s specific forensic solutions, in mamy cases hw-sw, which have oftet physical extraction capabilities. Usually commercial solutions are extremely expensive, while leaving the forensic analyst in a situation where he is in many ways dependent on the vendor (can you say lock-in…) regarding supported models and extraction capabilities. The reverse of the medal (or the upside) is that responsabilities is in some way switched from the analyst to the vendor as to the “forensically soundness” of the work and the use of a well-advertised brand is well-accepted by the end-users of the digital forensic analysis: lawyers, courts and corporate clients.
Flasher boxe are viable alternative tools for cell phone forensic analysis: they can help to overcome limitations of commercial tools at a fraction of the cost. The boxes are connected to a PC via USB and to the phone to be analyzed via specific cables which on the box side usually implement a standard RJ-45 plug. On the phone side cables can use JTAG contacts or service ports. As with the commercial tools, a set of specific cables is needed, but unlike them, they can be purchased when needed from various online outlets.
This devices were originally developed for mobile phones services provider and shops, mostly in Asian and Russian markets. Some of their capabilities for which they are used are not exactly legal, or borderline. They can unlock phones or devices which are limited by the carrier, unlock (U)SIM limitations and -mostly on older models- IMEI rewriting. They are able to write over the firmware of the phone, adding for example languages not supported or updating the firmware. Most pertinent to forensic analys is the capability to read the flash memory of phones at the physical level, generating what is called a “physical” copy, which can yeld the most complete evidence, including deleted content.
Some of the flasher boxes on the market – Phone connectors are showed
PC connectors (mostly standard USB ports)
The plus side
The economic side is relevant: the investment for a box-based solution is an order of magnitude smalles than a mainstream one. We are talking of about $100 – $200 for the first and many thousands of dollars (or Euros) for a commercial solution, not sounting the mandatory yearly canon most of the vendors (not all) require. It seems to me mainstream vendors’ offer is targeted on governments and LE markets, where often budgetary considerations aren’t so relevant…
Flasher boxes are much more cost-effective thant commercial solutions, even considering the need to acquire more than one to cover the market, but only in the hands of experienced examiners. Independent consultants and small forensic firm should absolutely consider them.
On the technical side, flasher boxes allow analysts low-level access to phone flash memory, without installing any software on the device, which is a plus in a forensic analysis. Also in many cases a byte-by-byte image of memory can be extracted -an hexdump, so called. It has to be noted that this is not possible for all phone models, but this is a limit of all mobile forensics tools. When a physical extraction is not possible, often a “mid-level” extraction is possible, where the result is not a low-level image but an intermediate level image, rapresented in a text file. This yelds anyway more information than a logical analysis, based on the phone OS or AT commands (a high-level protocol used to communicate whith phones) where deleted content is not available in any way. More, the boxes allow access to a damaged phone, to a phone without battery or SIM, or to devices with locked SIMs.
Support, model-wise, is quite good, even if probably more than one box will be needed. Both GSM and CDMA phones are supported generally, and support is good also for Chines phones and clones.
Caveats
Flasher boxes are very useful tools in the hands of an expert forensic analyst: key word here is ‘expert’. They are not “point-and-click” forensic tool and when used by unprepared personnel can very easily alter or destroy evidence.
Flasher box connected to a laptop.
Like we said before, they are not forensic tools per se, created for that end, so they do not provide complete logging or hashing facilities to document a proper chain of custody: somw work and solid procedures are needer on the analyst’s part to properly validate and defend his or her results. Moreover some validation of the tools itself is required before using it on actual evidence in order to be sure nothing (or the minimum) is written by the box to the flash.
In many cases the communication between the flasher box and the PC on the USB port is crypted by the flasher software: care is to be taken in the use of the resulting files. A solution also used is to get the data in transfer directly via a USB monitoring software: this adds another level of complexity and can be time consuming.
A more mundane hurdle in using flasher boxes in a forensic lab can be the proliferation of similar products on the market, both branded and non-branded, with different packaging for the same product, in different versions and with managing software very often updated. In this case also some effort in organising tools and software is needed.
After a low-level flash dump is acquired, its analysis con be hard and time-consuming, because data is to be extracted by carving and some formats can be unusual for analysts new to mobile forensics like texts or dates. This is somewhat less so for modern smartphones where more standard formats like sqlite are becoming more widespread. It must be said that this is a task common to mobile forensics, even when done with commercial tools.
A potential problem with the boxes software can stem from the fact that most of them need to be connected to Internet to work, or at least to download upgrades. Wherever possible the actual analysis should be conducted on a workstation not connected.
Recommendations
All common forensic analysis guidelines should be followed and all activities should be carefully documented.
Given the particular carachteristics of this tools, the system should be validated by the lab before being used on actual evidence, in order to verify and document its behaviour and results.
Flashers are to be considered additional tools to be used whenever possible side by side with other solutions, comemrcial or free.
As said, these are not forensic tools per se, so in the procedures and guidelines for their use, some activities should be incorporated: files generated by the box should be hashed before anything else, and copied. Analysis should be conducted on one of the copies. Also when logging options are present, logs should be preserved and hashed. Photographic documentation of the acquisition and analysis should be created.
Conclusions
Flasher boxes’ positive sides outweight by far their downsides. Their use should be carefully planned and documented but they are currently a main part of the mobile forensic analyst’s toolbox. There are many more things to say about their use and analysis of the evidence collected, and also on products present on the market and case histories, all things that will be subjects of future posts.
