A newcomer to mobile phone examination asked a question on another forum:
"My first question is a general one: how can I know that the data I get in an extraction is everything that was on the device? For example, I recently acquired an image from a ZTE Z667G with prior knowledge that there were messages between 2 subjects using Facebook Messenger. The device was not able to be rooted with Oxygen's root exploit, so I used the Android backup method. When I began to analyze the data, I noted that Facebook messenger was not in the listed applications; also, none of the database files for that app were acquired. Had I not been told about the messages by the detective working that case, that data would have likely been missed. Without going through the device manually, how can I know for sure that what I'm getting is everything that is there?"
There is a temptation to reply with "try another tool". However, the opening question was "how can I know that the data I get in an extraction is everything that was on the device?", which suggests a knowledge of the memory where a mobile handset can store messages.
Knowing the memory available and areas where data maybe stored is another aspect an examiner may wish to consider as a planned exercise before commencing examination of the target DUT (device under test). As a simple exercise consider:
a) Handset memory
b) (U)SIM memory
c) SD card memory
Query: the examiner is interested to know the memory available in an e.g. Samsung Galaxy S6 edge (GSM)?
One popular website used by mobile phone examiners is Phonescoop:
http://www.phonescoop.com/phones/phone.php?p=4716
The site identifies the following:
Memory
32 GB internal storage, raw hardware
23 GB internal storage, available to user
3 GB RAM
also available in 64 and 128 GB versions
SIM card size
Nano (4FF)
Is there any info that identifies whether an SD card may be used? Check for yourself at the link above.
The newcomer referred to the ZTE Z667G. Would this be the correct model at Phonescoop?
http://www.phonescoop.com/phones/phone.php?p=4450
However, a Z667g user manual suggests a different name:
http://wontek.com/static-img/phones/ZTE-Flame-Z667G.pdf
and another website identifies the Z667g under a different name:
http://androidface.com/forums/topic/zte-whirl-2-zte-z667g/
Could that suggest variances between the different model names??
As an examiner can you verify or validate the accuracy of the Phonescoop details elsewhere?
e.g. are there any other website that may provide details? There are many, so here is another link:
http://specdevice.com/showspec.php?id=a7b9-7cb0-ec56-3c90041b97dc
Finally, what does the ZTE manufacturer website state about the ZTE Z667G?
There are a range of tools out there each to assist the examiner extract and harvest data; but be mindful, a tool may provide answers but a tool should not determine the questions and by extension think for you.
No comments:
Post a Comment