Gone Phishing

Timothy R. Primrose, Mobile Forensic Analyst
Millions of people have cell phones and use them to send text messages and browse the web daily. Many of these people have also fallen victim to phishing scams. Phishing is the process by which someone digitally disguises themself as a trustworthy source to obtain personal information or data such as usernames, passwords, social security number, or credit card numbers.
A phishing message is intended to look authentic, however it is baited to lure you in. Attention-grabbing words may be used such as “hacked” or “compromised,” in conjunction with the color red and exclamation points to reel people in to provide their “bank account” or other targeted pieces of information as quickly as possible. The phishing message may prompt a user to input their bank account number, username, or password to resolve falsified issues with their account, payment information, or suspicious account activity. However, the information inputted by the user is sent directly to the scammer and not the bank. Emails, text messages, and advertisements are all possible sources that may provide a phishing portal. Personal information entered or login attempts might grant the scammer with access to your accounts, possibly with answers to your security questions. Continue reading “Gone Phishing”

It’s Spooky Season

Phone Hacking Expert Witness

Timothy R. Primrose, Mobile Forensic Analyst
It’s spooky season, and while you might be afraid of ghouls and vampires, you might be missing out on a scarier thing: hacking. Depending on the hacking technique, tools that a hacker needs in order to steal data from their victims are fairly cheap. One of the most common ways hackers steal personal data is through the weak security of public Wi-Fi. Continue reading “It’s Spooky Season”

CSAM

Mobile Forensic Analyst

Timothy R. Primrose, Mobile Forensic Analyst
Apple is working to fight against child sexual abuse by scanning photos that are uploaded to iCloud for CSAM (child sexual abuse material). Apple is also trying to battle the child grooming chain by analyzing incoming and outgoing pictures in the Messages application for sexually explicit imagery. Facebook, Google, and Microsoft already have parameters set in place to monitor this form of illegal content on cloud-based platforms.
Apple will use an encrypted database of known CSAM images provided by different participating child safety organizations to scan these photos. An algorithm called NeuralHash will run each photo uploaded to iCloud from an Apple device through the CSAM database and will attempt to search for a match, even if the photo was altered, resized, or cropped. Continue reading “CSAM”

Apple’s Health App: Key to Forensic Analysis

iPhone Expert Witness

Timothy R. Primrose, Mobile Forensic Analyst
Apple’s health application monitors and documents a user’s day-to-day activity in detail. Some data is collected by the iPhone, while other data can be collected from a synced Apple Watch or input directly by the user. These datatypes include steps, body measurements, menstrual cycle tracking, hearing, heart rate, mindfulness, mobility, nutrition, respiratory, sleep, vitals, and other user input data such as blood glucose and inhaler usage.
From a forensic standpoint, you might not think that health data can help decipher the events that unfolded in a given situation; however, some of these datatypes can be utilized creatively to assist in bizarre scenarios. The hearing datatype proved useful in one of our recent cases. Continue reading “Apple’s Health App: Key to Forensic Analysis”

Cell Phone Evidence Repair

Mobile Forensics

Timothy R. Primrose, Mobile Forensic Analyst
There are three components of a cell phone that need to be functioning in order to extract data from the device: the screen, the charging port, and the battery/power.
The Screen: If a cell phone screen is damaged, be it the result of a car crash or voluntary destruction to hide evidence, it may appear that the phone no longer functions. The internal hardware where data is stored, however, may still be intact. Most smartphones require certain permissions to be accepted or selected on the device before data can be accessed or extracted, thus a working screen is imperative to selecting these permissions. Replacing a phone screen or a backlight fuse may suffice for this circumstance.
If more components were damaged in addition to the screen, forensic evidence repair technicians will analyze all of the internal components and connectors to determine the problem.
Charging Port: Forensic investigators typically need access to the charging port of a cell phone for cable connection and data extraction. Small repairs may entail component fixes with the use of a soldering iron or a heat gun. However, if the port is crushed or damaged beyond use, it may require swapping the damaged port for another.
The Battery: Before plugging in or powering on a damaged cell phone, the battery must be inspected. If a battery is damaged or has a bubble in it, it may catch fire, which can damage a device beyond repair. In the event of a fire, the phone and battery should be placed in sand to extinguish the fire, not water.
Cell phones have liquid damage indicators that are designed to turn red in the presence of moisture. If the liquid damage indicator is red, the phone is corroded, or there is visible moisture, it does not mean the cell phone data cannot be extracted. A wet cell phone is not the end of the world, as long as it is not powered on or used while it is wet. If the device is powered on while it is wet an electrical current will cause components on the circuit board to short or burn out. So, if a cell phone is discovered in water, it is best to leave the cell phone in water until a repair technician can properly dry the components. This will assist in preventing corrosion due to the exposure of oxygen, though forensic technicians can remove corrosion by cleaning and careful treatment.
If a device is damaged beyond repair, a simple method of data extraction will not be available. A destructive process involving the removal of the data chip from the logic board will be required. This data chip contains all of the data from the cell phone. Data is retrieved from this chip via a chip reader. This data extraction method, called Chip-off, is a last resort because the chip cannot be placed back on the logic board of the device.
Timothy R. Primrose, Mobile Forensic Analyst with DJS Associates, Inc., can be reached via email at experts@forensicDJS.com or via phone at 215-659-2010.

Apple’s Health Application

Apple iPhone

Timothy R. Primrose, Mobile Forensic Analyst
Apple’s health application monitors and documents a user’s day to day activity in detail. Some data is collected by the iPhone, while other data can be collected from a synced Apple watch or input directly by the user. These datatypes include steps, body measurements, menstrual cycle tracking, hearing, heart rate, mindfulness, mobility, nutrition, respiratory, sleep, vitals, and other user input data such as blood glucose and inhaler usage.
From a forensic standpoint, you might not think that health data can help decipher the events that unfolded in a given situation; however, some of these datatypes can be utilized. The hearing datatype proved useful in one of our recent cases.
The purpose of the hearing category in Apple’s health application is to monitor headphone audio levels to ensure that the user’s ears are exposed to a healthy level of sound decibels to prevent hearing issues caused by extended exposure to loud audio. In the image below you can see the audio levels that a user’s headphones were set to, the timeframe that they used their headphones, the media source of the audio, and even the type of headphones utilized. Users can view their listening history that Apple has recorded within the health application.
Apple Recorded Data
How was hearing data useful in a forensic investigation? A vehicle operator was traveling at the posted speed limit of 45 mph when a woman suddenly stepped out in front of him. He did not have enough time to stop and unfortunately the woman did not survive. The woman had headphones in and was reportedly looking at her phone when she stepped into oncoming traffic. Data extracted from her cell phone showed that the pedestrian had the YouTube application open leading up to and at the time of the incident. Audio level data recorded by Apple’s health application showed that the user’s device was outputting an audio level of 150 dB. This volume level would have prevented the woman from hearing any approaching vehicles or the buzz of traffic. Seeing that the YouTube application was open and not an application such as Pandora or Spotify aids the vehicle operator’s story that the pedestrian was looking at her phone and distracted from where she was walking.
Health data can be utilized for more than what Apple intended. Even if you do not plan on using this information for a case, check it out for yourself and make sure your audio levels are safe.
Timothy R. Primrose, Mobile Forensic Analyst with DJS Associates, Inc., can be reached via email at experts@forensicDJS.com or via phone at 215-659-2010.

Are Screenshots Sufficient Evidence?

Apple iPhone

Timothy R. Primrose, Mobile Forensic Analyst
Text messages, photographs, and call lists accessed directly from a cell phone reveal only a fraction of usage data stored within the device. Accessing additional data, unattainable by scrolling through the device, requires sophisticated software that collects a detailed timeline of phone events. This metadata, or data that gives information about other data, can assist in distinguishing between, whether a text message was received or was received and read.
The image on the left provides a text message conversation snapshot displayed on a cell phone. The image on the right shows data about the same conversation, provided by a forensic extraction. Continue reading “Are Screenshots Sufficient Evidence?”

Tracking Uber Rides

Timothy R. Primrose, Mobile Forensic Analyst
There are approximately three billion smartphone users worldwide. Smartphones can provide users with turn by turn directions to a given destination via applications such as Apple Maps, Google Maps, Waze, and others. When data is forensically extracted from a smartphone that used one of these applications, a list of GPS coordinates can be produced that will illustrate the exact route the cell phone user/vehicle operator took.
A recent data extraction conducted on an Apple iPhone 8 showed that the Apple Maps application was activated for a trip, which marked GPS coordinates every 1 to 4 seconds. Data from the same device, and it’s *Knowledge C database, provided details of when the phone was unlocked and when the Uber application was opened. Continue reading “Tracking Uber Rides”

Screen Time

screen time

Timothy R. Primrose, Mobile Forensic Analyst
Screen time across multiple devices has heavily increased since strict guidelines calling for social distancing began in March of 2020. If you own an iPhone, you can monitor screen time, and even set a screen time limit for your children (or yourself!) Screen Time is an exclusive feature for iOS or Apple devices that can be activated by the phone’s user to track application usage. This data can be broken down to determine how often a user picks up their phone, how much time they spend on certain applications, and can even produce daily average calculations for categorized screen time content. Continue reading “Screen Time”