Thursday, April 5, 2018

About Those Other Texting Apps in iOS…



April 5, 2018

About Those Other Texting Apps in iOS…

In the age of ubiquitous mobile device usage and the seemingly ever-present need for digital evidence in the form of text messages to be used in legal proceedings, we see lots of requests for forensic data retrieval of standard (SMS & MMS) text message retrieval, Snap Chat messages, Facebook Messenger Messages, iMessages and the like.  What is not so often discussed is the need for text messaging data from other apps that may not be as popular or supported by any of the major mobile forensic tools. Toward that end, this article will explore a sample of them. 

To facilitate this analysis, we conducted an advanced logical encrypted data extraction from an iPhone 8 Plus running iOS 11.3.  The extraction was conducted using Cellebrite Physical Analyzer v. 7.2.1.4.  Among the apps explored are:

Magic Jack:  An app used to provide an alternative phone number to the mobile device.  Currently at Pro Digital, the phone number is through Magic Jack and many clients send and receive text messages on this number

Sideline:  Another app used to provide an alternative phone number to the mobile device, other than the primary wireless number.  Some test text messages were sent using Sideline.

Discord:  An app used primarily by gamers to communicate.  The app has both mobile and desktop functionality.

Linked In:  The popular professional social networking app, with built-in messaging capability for both mobile and desktop/web application.

The primary tool for analysis used was Cellebrite Physical Analyzer, but supplemental analysis was conducted and information was obtained using Magnet Forensics Internet Evidence Finder (IEF) v. 6.12.6.

Magic Jack Artifacts

The main database within Magic Jack that stores not only text messages, but contacts, phone calls, etc. is storage-##########.sqlite (where the # is the phone number assigned to the app/device by Magic Jack.  Within that database, the “message” table specifically stores messages between the user and those contacting the user.  Each conversation with a given party is given a “conversation ID”, making following of the conversation back-and-forth relatively simple, even if the party is not readily identified by name or phone number.  It is prudent to also note that Magic Jack does ask for permission to access contacts contained within the main iPhone contact database and when permission is granted, those contacts are also present within the Magic Jack sqlite database.  Also notable is the fact that each messages is assigned a “message ID” in sequential order.  This could mean that if a message were deleted, the sequence would show missing numbers, much like in the iPhone pictures/images database.

Figure 1 below shows a sample of what the Magic Jack message database looks like in Cellebrite PA:



Fig. 1: Magic Jack Message Table

Also present in the “Message” table are dates and times of delivery of each message and the length (in characters) of each message.  None of this data is encrypted, beyond the encryption of the device itself.  All of this data is also historical, meaning the data contained in this database has been carried over through multiple devices.

Sideline Artifacts

An interesting little nugget that I didn’t know before conducting these tests is the fact that Sideline is part of the Pinger/Textfree family.  The file path for the Sqlite Database in this instance is “com.pinger.side.line” and the main database where the information we are researching is stored is “Textfree.sqlite”.  In fact, the IEF report viewer lists these artifacts under “Text Free” as indicated below in Figure 2.  This is notable because the Textfree app is not present on the device, only Sideline is.


Fig. 2: IEF Rendering Sideline as “Textfree”

The table in which all of the messages are stores is “ZEVENT” and contains not only test text messages sent to and from the app, but all voice-to-text translations of voicemail messages.  This is very helpful when potentially researching voicemails that have either been deleted and/or are not part of the main iPhone voicemail database .amr files.  Also of note, as displayed in Figure 3, is the existence of the IP address with each phone call received and answered.  For example, the IP address of 67.231.9.110 is listed in the table for certain answered calls and renders back to Bandwidth.com, which is listed on Search.org as being in Raleigh, NC.  I’m not exactly sure what Bandwidth.com has to do with Sideline, Pinger or Textfree, but it does offer another investigative angle. 



Fig. 3: Sideline Database w/ Calls IP Address Highlighted

Also present in this database under the “ZCONTACT” table are all synced contacts within the iPhone by name.

Discord & Linked In Artifacts

Although the encrypted advanced logical extraction was conducted on the device in this instance, there is very limited data obtained from both Linked In and Discord, especially as it relates to messaging.  This is likely due to one of three explanations – the data is either stored in the cloud, encoded or encrypted (or a combination thereof).  For what it’s worth, no large SQLite database files were discovered with either of these apps, only .plist files and smaller SQLite databases containing limited information.

Discord, in particular, is used by gamers, many of whom are children.  Investigators involved in child exploitation investigations should pay particular attention to this app if present on the device and attempt to document the data by whatever means possible.

Additional Items of Note

While IEF indicates that there is support for Instagram in the “Social Network” category list as seen in Figure 4, there are no recoverable Instagram messages parsed out in IEF: 


Fig. 4: Social Networking Support in IEF (Partial)

Conversely, there were many Facebook Messenger messages obtained by IEF as detailed below in Figure 5.  This is of particular note as many have asked across digital forensic list serves about the potential presence and recovery of Facebook Messenger messages.  While not every bit of information is readily apparent in IEF (i.e., the other party involved in the message), identifying the sender and receiver is a simple matter of looking in the detail tab to identify the Facebook user IDs involved in the chat.




Fig. 5: Facebook Messenger Messages in IEF

Conclusions

Those of us familiar with the strengths and limitations of the commonly used commercially available mobile forensic tools know their limitations very well.  Experiments like these start to push us beyond what is natively supported and help us take a deeper dive into the data to see what (sort of) hidden gems exist beyond what is served up on a silver platter.  There’s a ton of data out there to be had.  Companies like Cellebrite, Oxygen, MSAB and Magnet Forensics can’t be expected to support every version of every app.  It’s simply not possible, or if it were, the costs for these tools would be astronomically higher than they are now. 

It is incumbent upon the examiner to know what to look for, where to look for it (i.e., how to find it) and how to read and interpret what they find.  Missing valuable data can mean the difference between determining culpable or responsible parties in civil matters or not and in criminal cases, could mean the difference between guilt or innocence.

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  ProDigitalConsulting@gmail.com
Web: www.ProDigital4n6.com
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Twitter: @ProDigital4n6

Posted by at
Labels: , , , , , , , , , ,
Location: Richmond, VA, USA

Tuesday, November 28, 2017

Discussion: SCOTUS, Carpenter & Call Detail Records

November 28, 2017

Discussion: SCOTUS, Carpenter & Call Detail Records

On November 29, 2017, the Supreme Court of the United States (SCOTUS) will hear arguments in the case of Carpenter v. US.  At the heart of the arguments is whether or not the government (i.e., law enforcement) need a search warrant to obtain records from cellular providers for suspects in criminal incidents to help determine the location of those criminal suspects at or around the time of an incident.  Previously, as detailed in the USA Today article here, SCOTUS and lower courts have upheld that a search warrant is not required because the records are not subject to Fourth Amendment privacy restrictions due to the fact that the data (i.e., the records) are transmitted to a third party, being the cellular provider.  This is what is known as the “Third Party Doctrine”.  It has been cited in previous cases where a third party, such as a utility company, holds records that may be relevant in a criminal investigation and the burden of documentation on the government has heretofore been a subpoena for records, not a search warrant.  Because a search warrant requires probable cause to be stated, the standard would be higher to obtain the records.

Think of it this way:  Subpoena = “I want this”
                                     Search Warrant = “I want this, and here is why”


Call Detail Records… Sort of

Setting the Records Straight

I’ve read a lot online about this case.  A recent posting on PoliceOne.com erroneously leads the reader to believe that this case is about data contained on the cell phone, much like the often-argued Apple vs. FBI cases that keep popping up in the wake of active shooter/terrorist incidents (Read this blog’s take on that here:  https://prodigital4n6.com/clash-of-the-titans-apple-vs-the-u-s-government/ ).  Let me be clear: This case is not about cell phone data, forcing people to hand over their passcodes or allowing the government to pry into your device!  This case is about cellular location data subscribers virtually never see.  It is about records of cell site location data stored with your cellular provider, along with sending and receiving phone numbers for calls and texts, duration of calls and potentially locations of cell sites used for data transmissions when you check Facebook or your email.  You never see most of this data and if you call your cellular provider, they won’t give it to you without a subpoena. 

To Get A Warrant Or Not?  That is the Question!

Some brief background is in order before opining on this subject…
I’m a former law enforcement investigator with 15 years total experience.  I worked as the sole investigative member for my agency on the Internet Crimes Against Children Task Force for several years and have investigated hundreds of electronically-facilitated crimes, which meant that I had to author dozens of search warrants and subpoenas.  In Virginia, there is a law that allows police to obtain subscriber information only for users of internet service providers in child exploitation cases.  These “administrative subpoenas” need to be signed by a prosecutor and can simply be faxed to the provider to obtain name, address, phone number, email address and any other registrant information for the user of a screen name, email address, IP address, etc.  It is to be used in child exploitation cases only and no additional records are available through this process.

Each and every prosecuting attorney I’ve ever been trained by or worked with (and I’ve worked with some of the best at electronic crime prosecution) has a rule:  When in doubt, get a search warrant.  In fact, for cellular call detail records (CDRs), there is often a need to bypass a subpoena and get a search warrant, especially when requesting more than simple records – things like text message content.  You see, the law distinguishes between things like simple records and unique content of text messages, so the burden of the request is naturally higher when the police ask for content of email, text messages, etc. vs. simple records of who logged onto the service, when and from where.  It’s an important distinction and one that SCOTUS will no doubt delve into in great detail during arguments in this case.


 These things are everywhere!

Since leaving law enforcement and for nearly the past 4 years, I’ve been working mainly civil cases in the digital forensic field in a litigation support arena.  I’ve also been working cases involving analysis and mapping of cellular call detail records, so I’ve been involved in assisting attorneys on verbiage for the requests of these records, obtaining the records, analyzing the records and using them to prove or disprove location, link analysis and other items of interest in litigation.  A few of these cases have been retained by criminal defendants, so I have the benefit of experience at the prosecution end and the defense end to add credence to the next bit of information…

It’s very simple:  In most cases, getting a search warrant helps the prosecution and helps bolster the credibility of the evidence.  In most cases where a search warrant isn’t obtained and that fact is argued by the defense, the arguments help to bolster the defense and sometimes leads the evidence, such as cellular call detail records, to be thrown out. 

That being the case, my question to government investigators everywhere is, why not just get a search warrant anyway?

Yes, there are exceptions to every “search warrant rule”, exigency being the most obvious.  But absent exigency, a search warrant should probably be sought. 

Investigative Lead vs. Evidence

Part of what’s the heart of this argument is whether or not CDRs constitute an investigative lead or evidence.  When police request a “tower dump” of all devices connected to a particular cell site in a given time frame around a crime to help generate a potential suspect list or prove/disprove a suspect was in the area at the time of the crime, that serves as an investigative lead, but it can also quickly turn into evidence.  I would submit that investigative leads alone do not require a search warrant.  By their very nature, they are lacking in specific evidence in support of them, so a search warrant likely isn’t feasible.  However, I would further submit that a “tower dump” and the data derived therefrom also doesn’t fall under the category of a specific subscriber’s (i.e., target’s) call detail records.  They are records maintained by the cellular provider, but not specific to any one subscriber.

Only after a suspect list has been developed and substantial information gathered to develop actionable intelligence can we start to cross the bridge into evidence.  It also cannot be overlooked that sometimes, cellular location evidence serves to exonerate a suspect, by proving he (or his device) was not in the area at the time of the incident.  Either way, the importance of evidentiary data in, contrast to investigative leads, dictates that obtaining a search warrant is likely the prudent move.

Wrapping it Up


Back when the Third Party Doctrine was originally held, wireless cell phones were just an idea.  In 2017, we use them to stay connected in our everyday lives.  They help us keep in contact with friends and loved-ones, facilitate banking transactions, arrange transportation and much more.  The devices themselves store a very large amount of data, but they cannot do it without internet connectivity, which is what the cellular providers do for us.  The weight of cellular location evidence in both criminal and civil cases has grown exponentially in the modern era and will only keep growing as time goes on and cellular networks transition from 4G to 5G technology.

My prediction: SCOTUS will hold that the government needs a search warrant to obtain cellular records of a specific subscriber or target of an investigation.  However, they need to understand and explicitly distinguish between records for a specific subscriber needing a search warrant vs. tools police use to generate investigative leads, for which the burden of the request should be much lower.  Such is the case when requesting tower dumps.  Only by making that distinction clear will they serve to help answer additional questions in subsequent cases and put the matter entirely to rest… until next time!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  ProDigitalConsulting@gmail.com
Web: www.ProDigital4n6.com
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Twitter: @ProDigital4n6
Posted by at
Labels: , , , , , , , ,
Location: Richmond, VA, USA

Tuesday, September 5, 2017

Cellular GPS Evidence: Waze + Cellebrite + CellHawk




September 5, 2017

Cellular GPS Evidence: Waze + Cellebrite + CellHawk

It’s becoming common knowledge that location evidence on cellular devices can provide a wealth of evidence in any number of civil, criminal and investigative matters.  Law enforcement agencies use cellular location evidence from service providers to help place a criminal suspect at or near a crime scene in a given time frame.  Search and rescue analysts can use cellular call detail records to help locate missing persons as well.  And as we’ve detailed in previous articles, this type of evidence can be useful in any number of other matters, from divorce to alimony to fraud investigations and beyond.

So where does all of this evidence come from and how can we best utilize it?  It can come from a variety of different places, but the two main areas are the mobile device itself and the records from the cellular provider.  Proper legal authority needs to be in place to obtain the data from either source as well, but with the right training and experience, an investigator or consultant can help with obtaining those items.  Once the data is in-hand, any number of tools and approaches can help parse out the relevant data and map locations that may be of interest in the case.



In the example cited in this article, the data was extracted from an Apple iPhone 7 through an advanced logical extraction using Cellebrite Universal Forensic Extraction Device (UFED) Physical Analyzer.  Because I’ve been doing a lot of traveling lately and using the Waze app to find my way around various US-based locations, I decided to use Waze as a case study in location information.  Cellebrite UFED does natively parse this data (see fig. 1), but does not natively map the locations.  

  
Fig. 1: Waze Data parsed in Cellebrite PA

As you can see, Cellebrite adequately pulled GPS locations, dates, times and even addresses that were stored in Waze.  The list is longer, but figure 1 gives us a sample of a few months of Waze usage throughout various locations.

But again, Cellebrite does not natively map this data.  So how can we see this graphically and perhaps even create a demonstrative for use in court?  Enter the cellular record analysis and location mapping tool, CellHawk from Hawk Analytics.  CellHawk is an online tool that will natively read, parse and map location data from any of the major cellular providers as obtained through a search warrant or court order.  However, as I learned recently by attending the CellHawk training, it can also map anything with a date, time and GPS coordinates.  The tool just takes a little manual configuration once the data is exported in Cellebrite.

For this demonstration, I simply had to export the Waze Data into an Excel spreadsheet, which is natively supported in Cellebrite.  From there, the spreadsheet is uploaded into CellHawk, which natively reads the file column headers and asks for some direction about where the pertinent data (date/time/GPS location) is located within the spreadsheet.  Here’s an example of what we get when CellHawk reads and maps the data:


 Fig. 2: Northeast Waze Locations

Our office is located in Richmond, VA, which is listed as the starting point for many of these trips.  But this map details all of the client visits in/around Virginia, Maryland and DC as well as locations where training was delivered in the Philadelphia and Boston areas over a period of more than a year. 

When a map location is clicked, CellHawk natively tries to associate a phone number with that data point.  Because the CellHawk generic location finder was used, the identifier of "Waze" was entered instead of a phone number, but this is user-defined in CellHawk.  Interestingly, the dates and times of the data points are listed and viewable when clicked in CellHawk.  The figure below details a recent trip to Kansas City, KS for the Cellular Analysis and CellHawk training:

Fig. 3: Date, time & location detail in CellHawk

What’s even more interesting about the dataset in general is the historical nature of some of these locations.  Figure 3 also illustrates several locations in and around Chicago and Milwaukee.  I used Waze to navigate in/around the Chicago area and to the Harley Davidson museum in Milwaukee in August, 2012.  Since then, while the Waze user account hasn’t changed, the device has been upgraded through 3 or more different iPhone models. 

This historical data was not a one-off or isolated to this trip only.  Fig. 4 below shows map locations from a trip to and around the ALERRT Center in San Marcos, TX where I attended a conference in 2011:


Fig. 4: Waze historical data from 2011 mapped in CellHawk

That’s Great.  Now what?

The data gathered by Cellebrite and mapped by CellHawk is useful to help prove or disprove someone may have been to and navigated around a particular area during a specified time frame.  Further, if a subject of an investigation or litigation claims they cannot drive, Waze can help disprove that claim.  When we factor in dates, times and historical data that is maintained over years and across multiple devices, the potential weight of that data becomes apparent.

There are other ways (no pun intended) to parse and map this data, but both Cellebrite and CellHawk make it fairly easy and intuitive.  In the ever-present questions of who, what, where when, how and perhaps why of any incident, the ability to find, export and analyze this data simply and effectively is a fantastic investigative advantage!

P.S.  If you think this was a cool illustration, I highly recommend checking out CellHawk for you cellular call detail record and cell site mapping.  It’s a fantastic tool for mapping that particular set of data and that’s primarily what it was designed to do.  Be looking for a future blog diving into CellHawk for that purpose.

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple technical investigation schools. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  ProDigitalConsulting@gmail.com
Web: www.ProDigital4n6.com
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Twitter: @ProDigital4n6
Posted by at
Labels: , , , , , , ,
Location: Richmond, VA, USA
Subscribe to: Posts (Atom)