NAVAL

POSTGRADUATE

SCHOOL

 

MONTEREY, CALIFORNIA

 

 

 

THESIS

 

Approved for public release;distribution is unlimited

THIS PAGE INTENTIONALLY LEFT BLANK

REPORT DOCUMENTATION PAGE					Form Approved OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503.
1. AGENCY USE ONLY (Leave blank)		2. REPORT DATE  March 2014		3. REPORT TYPE AND DATES COVERED Master's Thesis
4. TITLE AND SUBTITLE  EFFECTIVENESS OF THE FACTORY RESET ON A MOBILE DEVICE					5. FUNDING NUMBERS
6. AUTHOR(S)  Riqui Schwamm
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Naval Postgraduate School Monterey, CA  93943-5000					8. PERFORMING ORGANIZATION REPORT NUMBER
9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) N/A					10. SPONSORING/MONITORING     AGENCY REPORT NUMBER
11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.  IRB Protocol number ____N/A____.
12a. DISTRIBUTION / AVAILABILITY STATEMENT  Approved for public release;distribution is unlimited					12b. DISTRIBUTION CODE
13. ABSTRACT (maximum 200 words) All mobile phones use internal flash memory to store information. The flash memory contains personal user data that can be extracted with the use of forensics tools. This information could be used to profile a user's daily activity. However, all smartphones provide a tool to erase (factory-reset) the information from the flash memory. Twenty-one smartphones were used to evaluate the effectiveness of the factory-reset feature. A set of forensics tools from Cellebrite was used for the extraction and analysis process. The factory-reset feature was found to leave significant amounts of user-generated content after operation. The amount of user-generated content varied by vendor and model number. Extracted data are presented as evidence to show the ineffectiveness of the reset. User data such as photographs, audio files, text files, login information and geolocation data were left on the phone. The data analysis uncovered the unreliable nature of a factory reset and how the user is not properly protected.
14. SUBJECT TERMS Android Operating System, Apple iOS, Mobile Forensics, smartphone, personal user data						15. NUMBER OF PAGES 67
						16. PRICE CODE
17. SECURITY CLASSIFICATION OF REPORT Unclassified	18. SECURITY CLASSIFICATION OF THIS PAGE Unclassified		19. SECURITY CLASSIFICATION OF ABSTRACT Unclassified			20. LIMITATION OF ABSTRACT   UU

NSN 7540-01-280-5500                                                                                                                            Standard Form 298 (Rev. 2-89)

                                                                                                                                                                  Prescribed by ANSI Std. 239-18

THIS PAGE INTENTIONALLY LEFT BLANK

Approved for public release;distribution is unlimited

 

 

EFFECTIVENESS OF THE FACTORY RESET ON A MOBILE DEVICE

 

 

Riqui Schwamm

Civilian, Department of the Navy

B.S., California State University, Monterey Bay, 2011

 

 

Submitted in partial fulfillment of the

requirements for the degree of

 

 

MASTER OF SCIENCE IN COMPUTER SCIENCE

 

from the

 

 

NAVAL POSTGRADUATE SCHOOL

March 2014

 

 

 

Author:                        Riqui Schwamm

 

 

 

Approved by:              Neil Rowe

Thesis Advisor

 

 

 

Simson Garfinkel

Second Reader

 

 

 

Peter J. Denning

Chair, Department of Computer Science

THIS PAGE INTENTIONALLY LEFT BLANK

 

ABSTRACT

All mobile phones use internal flash memory to store information. The flash memory contains personal user data that can be extracted with the use of forensics tools. This information could be used to profile a user's daily activity. However, all smartphones provide a tool to erase (factory-reset) the information from the flash memory. Twenty-one smartphones were used to evaluate the effectiveness of the factory-reset feature. A set of forensics tools from Cellebrite was used for the extraction and analysis process. The factory-reset feature was found to leave significant amounts of user-generated content after operation. The amount of user-generated content varied by vendor and model number. Extracted data are presented as evidence to show the ineffectiveness of the reset. User data such as photographs, audio files, text files, login information and geolocation data were left on the phone. The data analysis uncovered the unreliable nature of a factory reset and how the user is not properly protected.

 

THIS PAGE INTENTIONALLY LEFT BLANK

TABLE OF CONTENTS

I.             introduction....................................................................................................... 1

A.           mobile devices, applicationS, and user data................... 1

B.           research questions............................................................................ 2

C.           thesis structure.................................................................................. 2

II.           background and related work............................................................ 3

A.           growth of smartphones and mobile computering..... 3

B.           prior work................................................................................................ 4

III.         digital forensics tools.............................................................................. 7

A.           computer forensics........................................................................... 7

B.           mobile forensics.................................................................................. 9

C.           mobile forensic tool cellebrite ufed................................ 9

D.           mobile forensic tool Bulk extractor.............................. 11

E.           other mobile forensics tools tested................................. 11

IV.         experimentS....................................................................................................... 15

A.           controlled experiment with two smartphones........ 15

B.           Experiment and data Extraction.......................................... 21

C.           Issues with the smartphones..................................................... 28

D.           data analysis With the Physical analyzer.................... 29

E.           string searching with Linux grep command................. 32

F.           data analysis With bulk extractor................................... 34

G.          Discussion................................................................................................ 38

V.           Conclusions and future work............................................................. 41

A.           Conclusion.............................................................................................. 41

B.           recommended procedures.......................................................... 41

C.           future work.......................................................................................... 42

List of References..................................................................................................... 45

Initial Distribution List........................................................................................ 51

 

 

THIS PAGE INTENTIONALLY LEFT BLANK

 

 

LIST OF TABLES

Table 1.               Top Smartphone Platforms (from [1])............................................................... 1

Table 2.               Mobile Internet & Smartphone Adoption: October 2011 (from [4])................. 3

Table 3.               Sample files from post-wipe iPhone................................................................ 19

Table 4.               Sample files from post-wipe Android phone................................................... 20

Table 5.               Full list of smartphone and status (from [41], [42])......................................... 22

Table 6.               Summary data from 21 smartphones............................................................... 23

Table 7.               File type counts before and after the factory reset.......................................... 24

Table 8.               The number represents user data and system data on smartphones part 1.  (post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry............................................................ 26

Table 9.               The number represents user data and system data on smartphone part 2 (post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry............................................................ 27

Table 10.            User data files found in the smartphones part 1.............................................. 32

Table 11.            User data files found in the smartphones part 2.............................................. 32

Table 12.            Search result (post-wipe/pre-wipe) part 1........................................................ 36

Table 13.            Search result (post-wipe/pre-wipe) part 2........................................................ 37

 

 

THIS PAGE INTENTIONALLY LEFT BLANK

LIST OF ACRONYMS AND ABBREVIATIONS

ADB                           Android Debug Bridge

CDMA                        code division multiple access

DoD                            Department of Defense

GPS                             Global Positioning System

GSM                           Global System for Mobile

IEEE                           Institute of Electrical and Electronics Engineers

iOS                              iPhone Operating System

MMS                           Multimedia Messaging Service

MTP                            Media Transfer Protocol

NFC                            Near field communication

NPS                             Naval Postgraduate School

OS                               operating system

SD                               Secure Digital

SIM                             subscriber identity modules

SMS                            Short Message Service

URL                            Uniform Resource Locator

USB                            Universal Serial Bus

Wi-Fi                           Wireless Fidelity

WLAN                        Wireless Local Area Network

 

 

 

THIS PAGE INTENTIONALLY LEFT BLANK

ACKNOWLEDGMENTS

This research project would not have been possible without the guidance and support of Dr. Neil Rowe and Dr. Simson Garfinkel. I would especially like to recognize Dr. Rowe for his patience and encouragement when it was most required.

THIS PAGE INTENTIONALLY LEFT BLANK

 

I.                  introduction

A.                mobile devices, applicationS, and user data

There has been significant growth in personal smartphone devices. In June 2013, the Google Android smartphone held 51.8% of the market, the highest share in the U.S. Table 1 [1]. Apple iOS maintained the second largest share at 40.6%, followed by BlackBerry at 3.4% and Microsoft at 3.1% [1]. Symbian still holds a 0.2% market share but has been discontinued by Nokia. The last Symbian smartphone was shipped in mid-2012, according to the company's 2012 Interim Report [2].

Top Smartphone Platforms 3 Month Avg. Ending Dec. 2013 vs. 3 Month Avg. Ending Sep. 2013 Total U.S. Smartphone Subscribers Age 13+ Source: comScore MobiLens
	Share (%) of Smartphone Subscribers
	Sep-13	Dec-13	Point Change
Android	51.8%	51.5%	-0.3
Apple	40.6%	41.8%	1.2
BlackBerry	3.8%	3.4%	-0.4
Microsoft	3.3%	3.1%	-0.2
Symbian	0.3%	0.2%	-0.1
Total Smartphone Subscribers	100.0%	100.0%

   Table 1.  Top Smartphone Platforms (from [1]).

Mobile phones use flash-memory [3] to store the base mobile operating system (OS), applications (apps), and user data. First-party applications are software created by the operating-system provider. For example, the Android smartphone includes a phonebook, a calendar and text-messaging applications created by Google's own software-development team. Third-party applications are created by developers other than the provider of the mobile operating system.

The internal flash memory of a mobile device contains several types of user-generated information such as phone numbers, addresses, Short Message Service (SMS) text messages, and cell data. These data can be extracted with the use of digital forensics tools and used to profile a user's activity. Digital forensics is a branch of forensic science that investigates digital information stored in various electronic media. It can help investigate cybercrime, computer-based terrorism, and computer hacking involving digital environments.

All smartphones provide a way to erase (reset) personal information from flash memory. The main focus of this thesis will be to evaluate the effectiveness of "factory data reset" feature on smartphones. A detailed and comprehensive survey can benefit not only the forensic community, but also anyone who uses a smartphone. The end result will help illustrate the limits of privacy protection offered by factory-reset features. It can also contribute to improved smartphone security and privacy policies if venders use this research to improve their products.

B.                 research questions

This thesis attempts to answer one primary question:

·                     How much user-generated data is left on a smartphone after using the mobile phone's factory reset/wipe function?

Two secondary questions also need to be addressed:

·                     How much private/personal information can be extracted after the wipe?

·                     Can recovered data be used to identify or profile a user?

C.                thesis structure

The remainder of the thesis is organized as follows. Chapter II will discuss prior work in mobile forensics and similar research work done under this topic. Chapter III will cover the process of forensics research all hardware, software and computer environments used in these experiments. Chapter IV will cover experiments with some sample memory images. Chapter V will end with conclusions and propose future research work.

 

 

II.               background and related work

A.                growth of smartphones and mobile computering

Mobile phones have become a significant consumer product in recent years. A telephone survey by Google Inc. of 2,000 adults in five countries [4] found that consumers own mobile phones more than any other mobile devices As Table 3 depicts, the survey found that Japan has highest adoption rate of mobile phones (96%), followed by the United Kingdom (87%).

	United States	United Kingdom	France	Germany	Japan
Feature phone/Smartphone	78%	87%	74%	76%	96%
Media player with web access	24%	17%	23%	12%	30%
Tablet PC  Slate/Pad	9%	4%	3%	3%	5%
Handheld gaming device	15%	17%	14%	7%	42%
eReader	9%	3%	1%	1%	2%

Table 2. Mobile Internet & Smartphone Adoption: October 2011 (from [4]).

A smartphone contains much of the functionality of a desktop PC, but it also includes radio communications capabilities that desktop PCs typically lack. Communication functionalities include GSM/CDMA radio, Near Field Communications, GPS, Wi-Fi and Bluetooth communication. The high mobility of these devices can be the most important factor in the shift from desktop/laptop computer to smartphones. Unlike laptops or desktop computers, a smartphone can easily fit in a pocket. It is a computer that is easy to use and small enough to be used almost anywhere. A user can browse the Internet, check email, use GPS navigation, and make online payments from personal bank accounts. Hence, a device this capable is also likely to contain personal user data.

There are various ways a user can protect his or her personal information on smartphones. Android and iOS phones can be set up require a login password. Some phones include a data encryption method to protect sensitive data. Also, third-party developers' market mobile protection/encryption software [5] can be installed on both Android and iOS phones. The iPhone has hardware encryption enabled by default for all data stored in memory. There is also a Data Protection API provided by Apple that can be used to implement application-level encryption.

In addition, common smartphones on the market today include some kind of "factory reset" feature. A factory reset is similar to formatting a hard disk drive on a computer system, but the details differ. Formatting deletes all pre-existing partitions and data on the hard drive and creates a new file system. The factory reset is intended to remove everything except pre-installed software, deleting user data in particular.

The following is a list of data that should be erased by the factory reset [6], [7].

·                     User account information (including email address)

·                     User settings for the operating system and applications

·                     Downloaded third-party applications

·                     Downloaded music (.mp3s, .flac, and .aac)

·                     Downloaded images and photos taken by the camera (.jpg, .png)

·                     Other user data (address book/phone book/calendar data)

The data that should be left behind after a factory reset is:

·                     The operating system installed with the smartphone

·                     First-party software (the operating system and associated software of the main vendor) and software (by other vendors authorized by the main vendor) bundled with the operating system

·                     SD card files, as contrasted with files on the main flash memory on the phone

B.                 prior work

Very little academic research has been conducted regarding the correctness of the factory reset feature on smartphones. However, there have been numerous articles on technology websites discussing potential risks [8], [9], [10].  The following are examples of the kinds of data left behind after a factor reset, from the GottaBeMobile: Mobile News & Reviews website:

·                     Porn

·                     Court records

·                     Social Security Numbers

·                     Resumes

·                     College applications

·                     Cookies

·                     Child support documents

·                     Employee records

·                     Bank statements

·                     Credit card statements

·                     Tax returns

·                     Emails

·                     Contact lists

·                     Photos

The authors tested secondhand phones purchased through Craigslist, which they then reset using the factory feature. The article concluded that the factory-reset feature did not work as expected.

Another publication studied the effectiveness of the factory reset for network data structures left on an Android device [11]. The primary question was "Do sufficient residual artifacts exist on mobile devices to extract enough data to identify the device's previous network access points?" The research used controlled data transfers between Android smartphones and multiple network access points (cellular, wireless, and Bluetooth). Residual data left on test devices included "userdata" partitions containing Service Set Identifiers (SSID), wireless-router Subscriber Identity Modules (SIM), DHCP ACKs from wireless routers, and base-station metadata that included the Mobile Network Code (MNC), Mobile Country Code (MCC), Local Area Code (LAC) and Cell Identification (CID), wireless router Media Access control (MAC) addresses, and Bluetooth MAC address of devices paired with the phone. It concluded that the factory-reset feature was not sufficient in deleting user-generated network data.

This thesis expands the research scope by analyzing all user-generated content. It analyzes all types of residual artifacts left behind after a factory reset.  

THIS PAGE INTENTIONALLY LEFT BLANK

III.           digital forensics tools

A.                computer forensics

Computer forensic investigations follow a similar process to other forensic investigations [12]. The process involves acquisition, analysis and reporting of potential evidence involving criminal activity.  The evidence can be collected from any type of storage media. Examples of storage media are:

·                     A hard disk drive from computer system

·                     A CD/DVD/Blu-ray optical disk

·                     A MO magnetic disk

·                     A CF/SM/MMC memory card

·                     A mobile SIM card

·                     A USB flash memory

Forensic tools can be used to acquire data from storage media by physical or logical acquisition. Physical acquisition is a bit-by-bit copy of an entire physical store of data. Logical acquisition is a bit-by-bit copy of the logical storage object such as directories and files.

The National Institute of Standards and Technology provides guidelines for forensic data acquisition and specifications for forensic tools [13]. NIST's Computer Forensics Tool Testing (CFTT) program establishes the methodology for testing computer forensic software. CFTT is part of the Software Diagnostics and Conformance Testing Division which is supported by The Office of Law Enforcement Standards. The project provides a means to help understand the capability, limitations, and validity of computer forensics tools. The tools to be tested are broken up into several categories: disk imaging, forensic media preparation; write-blocking software, write-blocking hardware, and mobile devices.

Disk imaging is the process of making a secure forensically sound copy of digital media that can retain the data for an extended period. "Disk Imaging takes sector-by-sector copy usually for forensic purposes and as such it will contain some mechanism to prove that the copy is exact and has not been altered." [14].

Forensic media preparation is the practice of wiping the target media before storing forensics data onto the forensics examiner's computer. A hard disk drive is usually used as a target media to store collected data. A wiping process prevents collected data on the target media from being "contaminated" by previously collected evidential data. A wipe should completely delete the existing data by overwriting all writable parts of the media. The Unix "dd" command is a common utility used to wipe storage media [15], and it can also be used to wipe data from internal flash memory in mobile phones.   Write blockers are write-protection utilities used in the acquisition of digital forensic data. These utilities enable examiners to create images of media devices without the risk of accidentally writing to the subject media and thereby altering the contents [16].

Several forensic techniques have been developed to help investigations such as string search, memory forensics, file extraction, feature extraction, and cross-drive analysis [17], [18], [19], [20]. These techniques increase the utility of captured data in forensics analysis. Memory forensics analyzes information stored on volatile memory, internal memory inside a computer or mobile device that requires power to maintain. The data stored in the memory changes frequently while the computer or mobile device is operational, which makes it hard to verify the data collected from memory. This can lead to problems if the examiner wants to run the acquisition process more than once [21]. 

String searching is a process of locating specific ASCII or Unicode strings from text files and directories. These strings can be names, phone numbers, email addresses, country codes, IP addresses, or software installed on a system. The examiner can look for any type of key terms or single words, but it can also help spot patterns in a system. Regular expressions can be used to describe patterns in a string. An example regular expression is "/^[a-z0-9_-]/ " which will look for any string that begins (^) with a lower case letter (a-z) followed by any number (0-9) then an underscore and a hyphen.

 

B.                 mobile forensics

Mobile forensics has its own set of acquisition tools [22], [23], [24]. Imaging, forensic extraction, memory forensics, and string searching can all be applied to mobile forensics investigations. However, there are some differences. Hard disk drives can easily be removed from a computer system for data acquisition and analysis, and during this process the hard disk drives can be protected using a write blocker utility. A mobile device cannot be processed the same way because the internal flash memory is usually soldered onto the circuit board, and removing the flash memory may damage it. Most mobile forensics tools do not require for the flash memory to be removed, but connect the phone directly into a forensics hardware tool, or plug the phone into a computer system running the forensics software [25]. The mobile phone architecture is also different from a standard desktop computer. The mobile hardware supports various radio communications like GSM/CDMA, GPS, Wi-Fi, NFC and Bluetooth. This radio communication capability will generate additional user data on the smartphone. The GSM/CDMA and GPS radios store geolocation data. Wi-Fi, NFC and Bluetooth may store user account login information and passwords. User data are locally stored on the smartphone's flash memory. 

C.                mobile forensic tool cellebrite ufed

A commercial forensics tool from Cellebrite was used for the data extraction process in our experiments. The Cellebrite UME-36 Pro is a standalone phone-memory transfer and backup solution that is capable of extracting data from a wide variety of mobile devices [26]. There are three key components for this forensics tool:

·                     Cellebrite UME-36 Pro  – Universal Memory Exchanger 1.2.2.3

·                     Cellebrite UFED Physical Analyzer 3.7.2.0

·                     Cellebrite Phone Detective 1.2

The UME-36 Pro enables logical, password, SIM, file-system, and physical extractions of data from mobile devices. It is a hardware solution for data extraction. The extracted data can be viewed and analyzed with the UFED Physical Analyzer software. UME-36 Pro claims to extract the following data from a smartphone [27]:

·                     Call logs

·                     Contacts

·                     Email

·                     Pattern locks

·                     Bookmarks

·                     Cookies

·                     Text strings from Short Message Service (SMS) / Multimedia Messaging Service (MMS)

·                     Chat messages

·                     Location data including cell tower locations and usage

·                     Web browser history including records of visited websites

·                     Digital photography, digital videos, and audio files

·                     Text files

·                     Deleted data

·                     Wi-Fi including connection times, base service set identifications (BSSId), service set identifiers (SSID), and Security Modes

·                     GPS information added to media files (geotags)

The UFED Physical Analyzer is software for physical extraction. This extraction creates a single binary extraction file for each embedded flash memory chip, or at least by the address range used by the mobile device.  Unlike logical extraction, physical extraction can bypass the device's operating system and extract data directly from the mobile device's internal flash memory. The UFED-extracted data from the device is saved into a hexadecimal file that is later read and decoded using the UFED Physical Analyzer application. The images created from the physical extraction process include files deleted by the operating system or user. The images are saved with an .ufd extension. It provides an overview of the mobile-device data with decoding, analysis, and report generation [28].

The Cellebrite Phone Detective application helps investigators identify a mobile phone by its physical attributes, eliminating the need to start the device and risk device lock or possible data loss. It asks eight key questions regarding the phones' physical appearance. It provides the user with a detailed extraction capability per device, connectivity details and device characteristics [29]. The eight visual elements used to identify device are:

·                     Phone type (candy bar, clamshell, slider, tablet)

·                     Body (connection port, cable, charging socket)

·                     Power button (power, volume, camera, keypad)

·                     Miscellaneous (battery cover type, memory card slot)

·                     Basic (Brand logo: Apple, HTC, Acer, LG / network technology: GSM, CDMA)

·                     Camera (type, location, flash)

·                     Display type (touch, non-touch, stylus)

D.                mobile forensic tool Bulk extractor

The forensics software Bulk Extractor (bulk_extractor-1.4.1-windowsinstaller.exe) [30] was also used for analysis of recovered files. Bulk Extractor is a carving and feature extraction tool that can be used on all kinds of digital media. It can scan disk images (raw, split-raw, EnCase E01, AFF), files and directories to extract useful information without parsing the file system or file system structures. The program can extract phone numbers, email addresses, credit card numbers and URLs from inspection of file contents of any file or file fragments. It can also collect data from compressed files with ZIP and gzip algorithms. The extractor is run on a file system and creates a report directory with feature files. Each feature file contains the location the feature found, the feature itself, and the feature surrounded by its local context (e.g., email.txt, url.txt). The tool is generally used for file identification and cross-drive analysis [31].

E.                 other mobile forensics tools tested

Several other forensics tools were tested for this research project before we selected Cellebrite. Some that offer similar features to the Cellebrite UFED tools were as follows.

viaExtract: This is a mobile forensics tool developed and distributed by viaForensics [32]. It is designed for extracting and analyzing data from Android smartphones. It is distributed as a standalone virtual appliance that runs on a VMware workstation. The pre-installed extraction tools could not properly analyze several Android phones. It would often return an error during the extraction process on our test phones.

Key features:

·                     Temporarily or permanently remove a password/pattern/PIN lock on an Android device running OS 2.2 or higher.

·                     Allow the examiner to forensically image external (SD) and internal (EMMC) storage cards directly from the device.

·                     Allow examiners an additional bypass option on gesture key locked devices.

Oxygen Forensic Suite 2013: This forensics suite is developed and distributed by Oxygen Software [33]. The company specializes in forensic data examination tools for smartphones and mobile devices. The program performed fairly well and could recovery a large number of files (images, video, system files, logs).

Key features:

·                     Displays complete technical information about the mobile device.

·                     Extracts user contact information with all its data: name, occupation, phone numbers, addresses, emails, notes.

·                     Extracts event log data, phonebook, messages (SMS, MMS, Emails, iMessages).

·                     File browser analyzes user phones, videos, documents and device databases.

Recuva: This is a free program developed and distributed by Priform [34]. It is a disk recovery tool that is capable of extracting files deleted or damaged on media devices. The program can recover a large number of files from the internal flash memory of a smartphone. However, the program does not provide an analysis tool for the recovered data. This makes the file analysis very difficult. Several files could not be opened or viewed with the program.

Key features:

·                     Undelete files.

·                     Recover damaged or formatted disks.

·                     Recover deleted emails.

·                     Recover deleted iPod music.

·                     Restore unsaved documents.

·                     Perform deep scan.

 

THIS PAGE INTENTIONALLY LEFT BLANK

IV.           experimentS

A.                controlled experiment with two smartphones

Two smartphones were used for a controlled experiment: an Apple iPhone 4S and a Samsung Galaxy SIII. The following protocol was used to artificially generate data under a controlled environment.

·                     Log into the Android phone with the account forensic.nps@gmail.com, and the iPhone with the account rschwamm@nps.edu.

·                     Connect to NPS wireless network (NGSTV224) and visit 4 websites using default browser

1.                  Nps.edu

2.                  Fark.com

3.                  Yahoo.com

4.                  Npr.org

·                     Take six pictures with built in camera: 6 pictures of the numbers 1, 2, 3, 4, 5, 6. First 3 image files are left unaltered. Second 3 image files manually renamed:

o        testschwamm_pic_4

o        testschwamm_pic_5

o        testschwamm_pic_6

·                     Access files and links from the following website:

http://faculty.nps.edu/ncrowe/testschwamm0114__doc_sample.docx

http://faculty.nps.edu/ncrowe/testschwamm0114__pdf_sample.pdf

http://faculty.nps.edu/ncrowe/testschwamm0114__ppt_sample.pptx

http://faculty.nps.edu/ncrowe/testschwamm0114__wav_sample.wav

 

http://faculty.nps.edu/ncrowe/testschwamm_0114_link.html

http://faculty.nps.edu/ncrowe/testschwamm_0114_pics.html

http://faculty.nps.edu/ncrowe/testschwamm_0114_video.html

http://faculty.nps.edu/ncrowe/testschwamm0114_feat.html

 

·                     Install the following list of software for Android phones:

"Reddit is fun"
https://play.google.com/store/apps/details?id=com.andrewshu.android.reddit&hl=en

Visit 3 postings on www.reddit.com

o   "ELI5: The Amanda Knox Appeal" http://www.reddit.com/r/explainlikeimfive/comments/1wlin9/eli5_the_amanda_knox_appeal/

o   "Why are the wheels of NASA's Mars rover, Curiosity, wearing out?"

http://www.reddit.com/r/askscience/comments/1wnb8s/why_are_the_wheels_of_nasas_mars_rover_curiosity/

o   "Hey, I am Nikki Sixx from Motley Crue, AMA"

http://www.reddit.com/r/IAmA/comments/1wnsxv/hey_i_am_nikki_sixx_from_m%C3%B6tley_cr%C3%BCe_ama/

 

"Facebook"

https://play.google.com/store/apps/details?id=com.facebook.katana&hl=en

Login and browse.

 

"Google Drive"

https://play.google.com/store/apps/details?id=com.google.android.apps.docs&hl=en

Login/sync and open 3 files

o   testschwamm_ppt1.pptx

o   testschwamm_ppt2.pptx

o   testschwamm_ppt3.pptx

 

"DropBox"

https://play.google.com/store/apps/details?id=com.dropbox.android&hl=en

Login/sync and open 3 files

o   testschwamm_doc1.docx

o   testschwamm_doc2.docx

o   testschwamm_doc3.docx

 

"Youtube"

https://play.google.com/store/apps/details?id=com.google.android.youtube&hl=en

Login and watch 3 videos

o   ‘PSY-GANGNAM STYLE' http://www.youtube.com/watch?v=9bZkp7q19f0

o   ‘GIFs, now with sound!' http://www.youtube.com/watch?v=CgVpR4KdLRA

o   ‘BEST DUBSTEP CAT!' http://www.youtube.com/watch?v=i4SSoWEw5CI

 

"Audible"

https://play.google.com/store/apps/details?id=com.audible.application&hl=en

Login and download/listen to 3 excerpts

o   Bossypants (Excerpt)

o   The Hunger Games (Excerpt)

o   Matterhorn (Excerpt)

 

"Kindle"

https://play.google.com/store/apps/details?id=com.amazon.kindle&hl=en

Login and open 3 PDF files

o   testschwamm_article1.pdf

o   testschwamm_article2.pdf

o   testschwamm_article3.pdf

·                     Upload a text document ‘testschwamm_password.txt' to root directory of each phone.

·                     Upload zip file containing above text named ‘testschwamm_userdata.zip' to root directory of each phone

·                     Use the following list of pre-installed software on iPhone:

 

"Youtube"

Login and watch 3 videos

o   ‘PSY-GANGNAM STYLE' http://www.youtube.com/watch?v=9bZkp7q19f0

o   ‘GIFs, now with sound!' http://www.youtube.com/watch?v=CgVpR4KdLRA

o   ‘BEST DUBSTEP CAT!' http://www.youtube.com/watch?v=i4SSoWEw5CI

 

                        "Notes"

Create 3 note entries

o   DVD Movie List

o   Shopping List

o   Test date and homework due date

 

                        "Remind Me"

            Create 3 reminders different dates

o   ‘Reminder 1' ‘02/01/2014 5:00PM'

o   ‘Reminder 2' ‘03/03/20145 7:00AM'

o   ‘Reminder 3' ‘04/05/2014 11:00AM'

The phones were not password protected by the user and no data intentionally encoded or encrypted by the phone. Following use, a factory reset was performed through the phone's setup menu under "Privacy" or "Backup & Reset". The reset menu lists all data that will be erased in the process (User account, system and application data and settings, downloaded applications, music, pictures and other user data). The user did not have any selectable options for the reset on any of the phones. The process takes a few minutes after which the phone restarts and resumes normal operation.

Following factory reset, the phones were images with the UME-36 Pro and UFED Physical Analyzer. All images were saved in the tools proprietary format (.ufd).

A total of 61,276 files were recovered from the pre-wipe for the iPhone and 43,165 from the post-wipe. 42,728 files matched path and contents from both pre-wipe and post-wipe. Partial matches were deleted which produced 17,914 pre-reset files and 115 post-reset files that did not match. 36,292 files had a zero size from the pre-wipe and 36,319 files had zero size from the post-wipe. Executable ".app" files found pre-wipe were 24,862, and 8,062 post-wipe. Files relating to the operating system were 29,812 pre-wipe and 27,621 post-wipe. 

Overall, the reset did a good job of removing third-party software. All the picture images and text documents were deleted by the reset with the exception of some cache and settings information (YouTube, Facebook).

The Bulk Extractor was used for string search. A number of preference and configuration files were recovered after the reset but none containing the keywords. "Preferences" can include private user information [35], but none were seen in the ".plist" preference files.  Table 3 lists some sample files remaining after the reset that could be interesting for forensic investigations. The indirect information can be collected and used to profile a user. A forensic investigator could determine where and how the device was used.

 

File	Description
System/InnsbruckTaos11B554a.N90OS/System/Library/PrivateFrameworks/Preferences.framework/SupplementalLocaleData.plist	Location and language settings
System/InnsbruckTaos11B554a.N90OS/usr/share/mecabra/ja /rerank.dat	Resource rankings?
Data/Data/Keychains/keychain-2.db	Keys
Data/Data/logs/lockdownd.log	Security event log
Data/Data/mobile/Applications/B8AD4B05-2518-4570-8447-7BE2BFDA8F9F/Library /Preferences/com.apple.mobilesafari.plist	Browser preferences
Data/Data/mobile/Library /BulletinBoard/SectionInfo.plist	Bulletin board index
Data/Data/mobile/Library /Caches/com.apple.springboard /Cache.db-wal	Screen cache for user "wal"
Data/Data/mobile/Library /Cookies/com.apple.itunesstored.2.sqlitedb	Cookies for iTunes
Data/Data/mobile/Library/Mail /Content Index	Mail keywords
Data/Data/mobile/Library/Maps /Bookmarks.plist	Map bookmarks
Data/Data/mobile/Library /Preferences/com.apple.identityservicesd.plist	Account information
Data/Data/mobile/Media /PhotoData/changes-shm	Incremental photo data
Data/Data/root/Library/Caches /locationd/consolidated.db	Location data
Data/Data/tmp/MediaCache /diskcacherepository.plist	Disk cache information

   Table 3. Sample files from post-wipe iPhone

A total of 5,141 files were recovered from the pre-wipe for the Android phone and 3,578 from the post-wipe. 3,292 files matched path and content from both pre-wipe and post-wipe. Partial matches were deleted which produced 968 pre-wipe and 65 post-wipe that did not match. 227 files had a zero size from the pre-wipe and 278 files had zero size form the post-wipe. Executable ".apk" files found pre-wipe were 396, and 277 post-wipe. Other executable files such as ".dex" files went from 140 pre-wipe to 121 post-wipe. ".so" files from 302 to 254. The reset did not delete any picture images taken with the camera. None of the created text files (.txt, .doc, .pdf, .ppt) was removed. Cache and deleted copies of these file and image components were also not erased. Third-party applications were deleted. However, following the wipe we could recover files from the Kindle and DropBox applications that belonged to the user. These files should have been deleted along with the application. The fact that files from deleted applications were found post-wipe implies that the wipe process explicitly deleted files, a topic that we will return to in Chapter V.

The Bulk Extractor was used again for additional string search. Website links were all deleted in the reset. However, the links for the four visited websites were found in various files pre-wipe. A total of 116 links were found pre-wipe. It is unclear why there were so many duplicate links saved on the phone. The wipe left most of the operation system files intact just like the iPhone reset. Table 4 lists some sample files remaining after the reset that could be interesting for forensic investigations.

File	Description
CACHE/Root/recovery /last_log	Recovery log
SYSTEM/Root /addon.d /blacklist	Four MD5 hash values
SYSTEM/Root/etc/apns-conf.xml	Phone carrier IP address
SYSTEM/Root/etc /audio_policy.conf	Attached audio devices listing
SYSTEM/Root/etc/gps.xml	GPS settings
USERDATA/Root/backup /pending/journal2114683955.tmp	Data backup
USERDATA/Root/data/com.android.providers.calendar/databases/calendar.db	Calendar data
USERDATA/Root/data/com.android.deskclock/databases/alarms.db	Alarm data
USERDATA/Root/media/0 /amazonmp3/temp/log.txt	Log file of Amazon Cloud Player
USERDATA/Root/media/0/Android/data/com.andrew.apollo/cache/ImageCache/3910b1e0ccab19bc46fd9db27cca49c9.0	Image cache data
USERDATA/Root/media/0/iPhone3G.2013-11-07.16-39-30/Email/108/478/1256.sql	Database script of ours, unclear how it got here
USERDATA/Root/misc /wifi/softap.conf	Access point data
USERDATA/Root/system/users/userlist.xml	User ID information
USERDATA/Root/drm /fwdlock/kek.dat	Lock data
USERDATA/Root/media/0/And-roid/data/com.dropbox.android /files/scratch/09thesis_regan.pdf	Document of previous phone user

  Table 4. Sample files from post-wipe Android phone

Some smartphones provide several variations for reset. A "hard reset" can be performed by using the hardware keys (by a procedure specific to each device). Newer iPhones provide the additional reset options "Reset All Settings," "Reset Network Settings," "Reset Keyboard and Dictionary," "Reset Home Screen Layout,, and "Reset Location and Memory".  All of these options were used and a new post-wipe image was generated. These options deleted an additional 222 files from the phone but did not delete any files listed in Table 3. The additional reset options did not produce any significant further deletions.

The hard reset on the Android phone gave an additional option for a "cache reset". This option was used and a new post-wipe image was generated just like the iPhone. It did not delete any text and media files put on the device; it only deleted the sixth file of the files in Table 4. Four files with the "db" extension were deleted. The reset added an additional six files (two Bluetooth cache, four "telephony"), but did not do much beyond the regular reset.

B.                 Experiment and data Extraction

Two sets of smartphones were used for the main experiment. The first set of Apple iPhone images was created by the UME-36 Pro and UFED Physical Analyzer. These images were taken from the Real Data Corpus [36], a large-scale forensic corpus. All images were generated from legally obtained smartphones used by real people. The second set was of various smartphones (iPhone, Android, Blackberry) that had been used for other research projects at our school. These phones did not have a SIM card installed on them. SIM cards contain a unique identification number associated with the user's mobile account and contain the phone number, security data and billing information; phone calls cannot be made without a SIM card, but otherwise the phone will function normally. A few of the phones came with a custom Android operating system (CyanogenMod 10.1), a custom aftermarket firmware based on the Android Open Source Project [37] [38]. The same protocol was used to generate data but no accounts were associated with the Blackberry phones. A Python script was written to convert the Cellebrite proprietary XML report format to the forensic metadata standard DFXML [39]. A taxonomy created [40] was used to classify files by extension and directory path. The full list of smartphones and the status is listed in Table 5.

 

#	Smartphone	OS Version	Readiness
I1	Apple iPhone 4	iOS 5.1.1	OK
I2	Apple iPhone 4	iOS 5.1.1	OK
I3	Apple iPhone 2	iOS 3.1.3	OK
I4	Apple iPhone 2	iOS 3.1.3	OK
I5	Apple iPhone 2	iOS 3.1.3	OK
I6	Apple iPhone 2	iOS 3.1.3	OK
I7	Apple iPhone 2	iOS 3.1.3	OK
I8	Apple iPhone 2	iOS 3.0	OK
I9	Samsung Galaxy SIII	CyanogenMod 10.1	Hard reset
A10	Samsung Nexus	CyanogenMod 10.1	OK
A11	Samsung Galaxy Anycall	Android 1.5	OK
A12	Motorola Atrix 4G	Android 2.2	OK
A13	HTC Droid Eris	Android 2.1	OK
A14	HTC Magic	Android 1.6	Hard reset
A15	HTC Flyer (tablet)	Android 3.2	OK
A16	HTC One	Android 4.1	OK
B17	BlackBerry 8900 Curve	BlackBerry OS 4	Unusable after reset
I18	Apple iPhone 4S	iOS 5.1.1	OK
I19	Apple iPhone 2G	iOS 3.13	Unusable without SIM card
B20	BlackBerry 8100 Pearl	BlackBerry OS 4.5.0.174	OK
B21	BlackBerry 8300 Curve	BlackBerry OS 4.5.0.162	OK
A22	Motorola FIRE	Android 2.3.4	Unrecognized by Cellebrite
A23	Huawei U8500	Android 2.1	OK
A24	Huawei  U8150 IDEOS Comet	Android 2.2	Unusable after reset
A25	Dell XCD35	Android 2.2	OK
I26	Apple iPhone 2	iOS 3.1.3	Unusable after reset
A27	Motorola Charm	Android 2.1	Totally dead
p28	LG-500GHL	Unknown	Unrecognized by Cellebrite

Table 5. Full list of smartphone and status (from [41], [42]).

Table 6 list the total counts of pre-wipe and post-wipe files. A large number of files were not affected by the reset. There were four types of partial matches between pre-wipe and post-wipe files (File name and hash, Hash only, File path only, Path ignoring digits). Several unmatched files were found post-wipe which appear to be new records created by the operating systems activity and reset feature. The factory reset does not completely wipe a device. Several files are removed during the reset but others are just renamed and additional new files are added after the reset.

 

File count type	Pre-reset	Post-reset
Total files	349,915	200,987
iPhone files	299,058	176,907
Android files	50,846	24,058
Exact matches pre-wipe and post-wipe	140,320	140,320
Subsequent matches on filename and hash value but not all directories	34,228	36,540
Subsequent matches on hash value alone	9,269	12,911
Subsequent matches on full path alone	2,849	2,836
Subsequent matches on full path ignoring digits alone	6,448	256
Remaining unmatched	156,801	8,124

Table 6.  Summary data from 21 smartphones

The file taxonomy was used to further investigate what types of files are being removed in the reset. The full results are listed in Table 7. Each file path is classified by file extension (E) and directory name of the file (D). 8,346 extensions and 6,445 directory names have a classification. The rest are labeled as "miscellaneous". Extensions that are longer than 10 characters are ignored.

The reset appears to focus on video and picture images, text documents, copies and temporary files, disk images, log files, XML documents and gaming applications. There is a smaller emphasis on database files, compressed data, audio, source code and data directories. The reset seem to target applications, picture images and temporary files, but not as focused on long-term user data. The reset does not remove explicitly deleted and zero-size files (which have no content but do have filename and dates). Zero-size files may not be useful for the applications, but could provide partial user information. An empty log file could indicate the user is not using a particular category or parameter in an application.  

A clear time pattern could not be created because the phones were used in various time periods. The Physical Analyzer software also created some issues while analyzing the recovered data. Different versions of the Physical Analyzer would produce different results from the same image. The file access and creation time would be reported differently depending on the Physical Analyzer version, and the root directory name would change between two different Physical Analyzer versions.

 

  Table 7. File type counts before and after the factory reset.

(*) Paths containing the word ".DELETED" were found on the phone.

The data collected from the Physical Analyzer are listed in Table 8 and 9. The Physical Analyzer categorizes each data type and groups.

Phone Data:

·                     Application Usage: Applications name, number of launches, activations, active time, and date

·                     Call Log: Caller phone number, time stamp, duration, and type (incoming/outgoing/missed).

·                     Contacts Cookies: Contacts name, organizations, phone number, emails, other entries, notes, and addresses.

·                     Installed Applications: Application name, version, identifier, App ID, purchase date, and delete date.

·                     IP Connections: Timestamp, domain, router address MAC address, Cellular WAN, Device IP, DNS address, and service name.

·                     Locations: Timestamp, position, and name.

·                     Maps: Source, zoom level, and tiles.

·                     Passwords

·                     SMS messages: Timestamp, folder (drafts, inbox, sent), phone number, text string, and status (unsent, sent, or read).

·                     User Accounts: Name, user name, password, and service type.

·                     User Dictionary: Word, locale, and bookmark note.

·                     Wireless Networks: Last connected, BSSId, SSId, and Security Mode

 

Data Files:

·                     Picture Images (png, jpg), Audio (wav, mp3), Text (html, txt, xml), Databases (db, sqlite3, itdb), Configuration (plist), or Application (jar, apk, ipa).

·                     Name, path, size, metadata, created, modified, accessed, and bookmark note.

 

 

Table 8. The number represents user data and system data on smartphones part 1.
(post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry

 

 

  Table 9. The number represents user data and system data on smartphone part 2
(post-wipe/pre-wipe) I=iPhone, A=Android, B=BlackBerry

 

C.                Issues with the smartphones

The factory reset was performed without any problems on most of the smartphones. However, on the HTC Magic (A14) and Samsung Galaxy SIII (A9) the smartphones locked up after the reset. The HTC Magic was running a standard Android 1.6 operating system and the Samsung Galaxy SIII was running a custom CyanogenMod 10.1 operating system. A hard reset on the HTC Magic and a custom reset had to be performed on the Samsung Galaxy SIII running CyanogenMod 10.1 to recover normal operations. Holding down the volume up button and the power button at the same time performs a hard reset, but does not remove any applications or user data from the smartphone. After the hard reset the factory reset did not cause any further problems. The cause of the lockup could not be determined.

The factory-reset on the BlackBerry 8900 Curve (B17), Huawei U8150 Comet (A24) and Apple iPhone 2 (I26) made the devices unusable after the restart. The device could not be properly restarted or became unstable. The Motorola Charm (A27) could not be charged or booted and appeared to be unusable.

The HTC Eris (A13) could not be properly processed without a micro SD card and installed on the phone. The Apple iPhone 2G (I19) could not be used without a SIM card. Both the UME36-Pro and UFED Physical analyzer returned an error when there was no micro SD or SIM card in the phone. A compatible micro SD/SIM card was not available at the time of the experiment. These two phones were the only ones that produced this error. The cause of the error could not be determined. 

The Motorola FIRE (A22) and LG-500GHL (p28) was not recognized by Cellebrite. The Motorola FIRE is running the Android OS 2.3.4 and is officially supported by UFED Touch Ultimate. The LG-500GHL is a prepaid phone with a proprietary operating system by LG. None of the forensics tools tested was able to identify or extract data from these phones. This could be due to the proprietary operating system installed on the LG phone.

 

The HTC One returned the same results for most of the tools tested. There is an important difference between the HTC One and the other smartphones used in this project. When a smartphone is connected (via USB) to a computer system it is mounted as a USB mass storage device. The HTC One and several newer Android phones (4.0 and up) are connected using a different protocol developed by Microsoft called the Media Transfer Protocol (MTP) [43]. The computer sees the attached smartphone as a media player while connected with MTP. The different mounting protocols created conflict with the forensics tools used for this project. However, during this research project we were able to gain access to a newer Cellebrite hardware solution, the Cellebrite UFED Touch Ultimate [44], an updated version of the UME-36 Pro. It provides a touchscreen interface with Windows XP running as the base operating system. It provides the same functionality with a wider range of supported mobile devices. The UFED Touch Ultimate is capable of extracting data from MTP devices and was used for the HTC One (A16). 

D.                data analysis With the Physical analyzer

A list of extracted data was created and viewed in the Physical Analyzer application. All phones listed in Table 8 and 9 were used (Android, IPhone, BlackBerry). Phone data (traditional telephone usage information) in both sets was almost completely removed after a factory reset, including:

·                     Call log

·                     Contacts

·                     Cookies

·                     IP connections

·                     SMS

·                     Maps

·                     Password

·                     User directory

Application Usage data were limited to system applications and did not contain any user information. System applications are indicated by the identifier com.apple.XX for iOS and com.google.XX for Android. A list is generated by the Physical Analyzer.

Installed Applications data left on the phones were default first-party applications such as maps, YouTube, mobile mail, calculator, weather, preferences, and mobile notes. The same system application identifiers were used to verify first-party applications. There were no third-party applications left on the phones after a factory reset. However, the number of installed applications on post-wipe phones varied. The Physical Analyzer could not identify any user-installed applications on the I7 and I8 iPhones after the factory reset. The system applications and first-party applications are not supposed to be removed after a factory reset. The Physical Analyzer showed zero entries after the wipe. This means the UME-36 Pro could not properly identify the applications. The reasons are unknown as to why the UME-36 Pro failed to identify the installed applications.

Location data were only left on the I6: Apple iPhone 2. The data contained latitude and longitude  (18.47717, 73.87550 – Pune, India) information for a cell tower and a time stamp (3/24/2011 7:44:24AM). This can be considering sensitive user information since it reveals the time, date, and location of where the user has been.

User Accounts and Wireless Networks data was recovered from a number of phones but it did not contain any identifiable information. Entries were listed in the Physical Analyzer but it did not contain any data (user name, email, BSSId, SSId, password). It identified a previously existing account, but could not recover any additional user or network data. The account information could have been encrypted or encoded after the reset.

JPEG and PNG image files were not removed from any of the Android phones by the factory reset. All picture images (downloaded, camera, and browser thumbnails) are supposed to be removed after a reset. All picture images were left on those phones untouched and were still viewable within the smartphone. The 6 images added before the reset was also left untouched and viewable in the smartphone. The iPhones did a better job at wiping the images and none of the image files including thumbnails were viewable after the factory reset. However, the metadata (name, file path, size, created, modified, accessed) for the images were still viewable in the Physical Analyzer.

Audio data was not removed from any of the Android set, including .wav audio files from applications and user-downloaded files (.mp3). The iPhone set deleted most of the audio files, but some .wav files were still recoverable. The files recovered from the iPhones included system audio files (e.g. ring tones) and notification sound clips that had been installed by third-party software. All recovered audio files could be played back on a media player.

Text data were not removed from any of the Android set. The file types that were recognized as data were files with .txt and .xml extensions.  The iPhones did delete some text files, but the same types of files were recovered.  Recovered .xml files contained readable string data such as domain names and IP addresses associated with user activities. Text files contained various notes or memos created by the user.

Database data (.db, sqlite, .sql) recovered from both sets contained no data. The results were similar to the user accounts data and wireless network data. The metadata (name, file path, size, creation time, modification time, and access time) was viewable after the factory reset but no data was stored in the files. 

Configuration data recovered from the iPhones only contained system-file access data. The access information appears to be the same data as the Applications files. Data was not recoverable from any of the Android set, but this could be due to the fact that the same information is already in the Applications files. The recovered data did not contain any user information.

Applications data only contained information from first-party software installed on the phone. The data contained various framework, library, and plug-in information for system software. No user data was stored in the applications files. The application data on the A16 Android phone contained user account information before the wipe. The Physical Analyzer labeled it as installed applications. This was the only data that was mislabeled. The data was cleared after a reset and did not contain any user account information. It is unclear why the Physical Analyzer mislabeled this information.  

Each file that contained user-generated data was counted and summarized in Table 10 and Table 11. The numbers indicate the total number of files found with user data.

 

	I1	I2	I3	I4	I5	I6	I7	I8
Data Files:
Images	0	0	0	0	0	0	0	0
Audio	0	0	1	0	0	0	0	0
Text	1	2	5	7	1	1	1	1
Databases	0	0	0	0	0	0	0	0
Configurations	0	0	0	0	0	0	0	0
Applications	0	0	0	0	0	0	0	0

Table 10. User data files found in the smartphones part 1

 

	A9	A10	A11	A12	A13	A14	A15	A16	I18	A20	B21	A25
Data Files:
Images	5	61	10	1698	42	15	5	616	0	0	0	6
Audio	0	0	0	0	0	2	0	15	0	0	0	0
Text	1	4	1	7	0	0	1	0	1	0	0	4
Databases	0	0	0	0	0	0	0	0	0	0	0	0
Configurations	0	0	0	0	0	0	0	0	0	0	0	0
Applications	0	0	0	0	0	0	0	0	0	0	0	0

  Table 11.  User data files found in the smartphones part 2

E.                 string searching with Linux grep command

·                     String searching was used for additional analysis of recovered files. During the analysis process with the Physical Analyzer, we searched for some keywords of interest in data files:

·                     password

·                     root certificate

·                     hash

·                     cert

·                     SHA1

·                     MD5

·                     SSL

The standard Linux grep [45] command was used to search for the keywords.

The A10 Android phone was the only one that returned a value with the "password" keyword, and this should have been deleted by the factory reset. This is one of the phones with a custom CyanogenMod 10.1 installed. An .xml file under the Cyanogen system directory contained several entries with website URLs and user names with passwords stored in clear text that should have been deleted. The other phones did not contain any password information. All phones returned at least one file that contained the "root certificate" phrase. The files contained characters varying in length between 115-144. It is unclear if this is the default trusted certificate installed with the operating system or if it is part of third-party software that used certificates. In the latter case the data should have been deleted. The information included in the files could not be identified as user data. Searches for the strings "hash", "cert", "SHA1", "MD5", and "SSL" did not return any significant results. These keywords only occurred in configuration files, which did not contain any user data.

Searching for the "hash" keyword did not return anything significant, but searching for "HASH" returned some interesting results. The "HASH" keyword still occurred in configuration files for iPhones but the files were always associated with an application called Rocky Racoon on the iPhones I3, I4, I5, I6, I7, and I8. This application is used exclusively with jailbroken iPhones [46]. Jailbreaking is the process of using a hardware or software exploit to break the restrictions on the iPhones file system [47]. A jailbroken iPhone grants the user root access to the iOS operating system. Once the iPhone is jailbroken it can be freely modified. The user can install unauthorized third-party applications, plugins and themes on the iPhone. It also allows the user to switch mobile carriers without any restrictions. Jailbreaking a phone also exposes the user to various security risks. Unauthorized software runs the risk of damaging or disabling the iPhone. This may have affected the data on the iPhones. It is not clear if these iPhones have been jailbroken. However, there is a high chance they were since the Rocky Racoon software is only used with jailbroken iPhones.

F.                 data analysis With bulk extractor

The Bulk Extractor tool (Ver. 1.4.1: Windows installer with GUI) was used to verify some of the user data generated from the experiment procedures. The smartphone images created from the physical extraction process (.ufd) were not compatible with Bulk Extractor and needed to be converted. A full dump of the file system was created from the .ufd images using the Physical Analyzer. Each .ufd image generated a directory of files, which was run on the Bulk Extractor.

The ‘url_histogram.txt' generated by the extractor showed that all website (youtube.com, facebook.com, reddit.com, faculty.nps.edu) links were deleted in the reset. Duplicate links for the four visited websites (nps.edu, fark.com, yahoo.com, npr.org) were found in various files on pre-wipe iPhones. It is unclear why there were duplicate links saved on iPhones. None of the other phones contained multiple copies of the same links.

Preference and configuration files (.plist) were recovered from most of the phones except for the BlackBerry phones (B20, B21) after the reset. None of the files contained user information. Setting information was checked in the ‘json.txt' file generated by the extractor.

The zip file uploaded to the root directory ‘testschwamm_userdata.zip' was not deleted from any of the Android phones and the text file ‘testschwamm_password.txt' can be viewed in the ‘zip.txt' generated by the extractor.

During the keyword search several files containing the word ‘DELETED' appeared in the ‘Feature File' results window. The Bulk Extractor displayed some text files (.txt) that included the word ‘DELETED' as part of the file name. None of these files contained any readable data and were all located at the top-level directory. The Physical Analyzer could not find any of these tagged files. It became clear that further investigation was needed to determine if any more user-generated data were not properly identified by the Physical Analyzer. The following common file extensions [48] were used for a string search against the full file system dump. The same grep command was used to search for these common file extensions.

·                     Text files (doc, docx, log, msg, odt, pages, rtf, tex, txt, wpd, wps)

·                     Data files  (csv, dat, gbr, ged, ibooks, key, keychain, pps, ppt, pptx, sdf, tar,

·                     tax2012, vcf, xml)

·                     Audio files (aif, iff, m3u, m4a, mid, mp3, mpa, ra, wav, wma)

·                     Video files (3g2, 3gp, asf, asx, avi, flv, m4v, mov, mp4, mpg, rm, srt, swf, vob

·                     , wmv)

·                     3D image files (3dm, 3ds, max, obj)

·                     Raster image files (bmp, dds, gif, jpg, png, psd, pspimage, tga, thm, tif, tiff, yuv)

·                     Vector image files (ai, eps, ps, svg)

·                     Page layout files (indd, pct, pdf)

·                     Spreadsheet files (xlr, xls, xlsx)

·                     Database files (accdb, db, dbf, mdb, pdb, sql)

·                     Executable files (apk, app, bat, cgi, com, exe, gadget, jar, pif, vb, wsf)

·                     Game files (dem, gam, nes, rom, sav)

·                     CAD files (dwg, dxf)

·                     GIS files (gpx, kml, kmz)

·                     Web files (asp, aspx, cer, cfm, csr, css, htm, html, js, jsp, php, rss, xhtml)

·                     Plugin files (crx, plugin)

·                     Font files (fnt, fon, otf, ttf)

·                     System files (cab, cpl, cur, deskthemepack, dll, dmp, drv, icns, ico, lnk, sys)

·                     Settings files (cfg, ini, prf)

·                     Encoded files (hqx, mim, uue)

·                     Compressed files (7z, cbr, deb, gz, pkg, rar, rpm, sitx, tar.gz, zip, zipx)

·                     Disk image files (bin, cue, dmg, iso, mdf, toast, vcd)

·                     Developer files (c, class, cpp, cs, dtd, fla, h, java, lua, m, pl, py, sh, sln

·                     , vcxproj, xcodeproj)

·                     Backup files (bak, tmp)

·                     Miscellaneous files (crdownload, ics, msi, part, torrent)

Each extension was used as a search term against both sets of smartphones. All files that matched the keywords were checked for user data. The numbers include both user data and system data (Table 12 & 13).

	I1	I2	I3	I4	I5	I6	I7	I8
Text Files	54/55	54/55	8/252	20/53	12/148	8/40	8/11	15/50
Data Files	406/406	403/406	73/355	115/91	73/1501	73/107	73/73	73/147
Audio Files	2007/2007	2007/2007	20/2673	20/63	20/1298	20/1162	20/20	20/1190
Video Files	0/0	0/0	0/9	0/0	0/9	0/95	0/0	0/9
3D Image Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
Raster Image Files	71/71	71/71	3/54	2/4	2/2	2/2	2/2	2/4
Vector Image Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
Page Layout Files	18/18	18/18	7/28	14/14	7/7	7/26	7/7	7/13
Spreadsheet Files	0/0	0/0	0/0	0/0	0/1	0/1	0/0	0/0
Database Files	79/80	80/87	15/52	60/60	15/47	14/51	15/16	15/58
Executable Files	3/3	3/3	2/10	2/6	2/5	2/4	2/2	2/6
Game Files	2/2	2/2	2/5	2/2	2/4	2/2	2/2	2/2
CAD Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
GIS Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
Web Files	211/211	212/212	13/13	14/14	12/13	12/12	12/12	12/12
Plugin Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
Font Files	66/66	66/66	56/56	47/47	56/56	56/56	56/56	56/56
System Files	5/5	6/6	2/2	2/2	2/2	2/2	2/2	2/2
Settings Files	0/0	0/0	0/2	0/0	0/4	0/38	0/0	0/1
Encoded Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
Compressed Files	2/2	2/2	7/7	0/1	0/5	0/1	0/1	0/1
Disk Image Files	87/87	87/87	8/339	14/14	8/119	8/35	8/8	8/59
Developer Files	18/18	19/19	1/10	1/9	1/17	1/1	1/7	1/11
Backup Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0
Misc Files	0/0	0/0	0/0	0/0	0/0	0/0	0/0	0/0

    Table 12. Search result (post-wipe/pre-wipe) part 1

A9

A10

A11

A12

A13

A14

A15

A16

I18

A20

A21

A25

Text Files

1/1

14/14

1/1

141/142

0/0

0/0

1/1

0/0

54/55

0/0

0/0

66/552

Data Files

0

50/50

0/0

66/66

1/1

0/0

0/0

0/0

406/406

0/0

0/0

374/2479

Audio Files

0/0

1/1

1/1

68/68

0/0

2/2

0/0

0/0

2007/2007

0/0

0/0

1/1

Video Files

0/0

5/5

0/0

6/6

10/10

5/5

0/0

0/0

0/0

0/0

0/0

0/0

3D Image Files

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Raster Image Files

5/5

716/716

11/11

1938/1938

42/42

15/15

5/5

616/616

71/71

0/7

0/3

70/88

Vector Image Files

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Page Layout Files

0/0

0/0

0/0

39/39

0/0

0/0

0/0

0/0

18/18

0/0

0/0

0/0

Spreadsheet Files

0/0

0/0

0/0

0/1

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Database Files

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

80/87

0/0

0/0

0/0

Executable Files

0/0

95/95

0/0

7/7

3/3

1/1

0/0

0/0

3/3

0/0

0/0

75/77

Game Files

0/0

1/1

0/0

0/0

0/0

0/0

0/0

0/0

2/2

0/0

0/0

0/0

CAD Files

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

GIS Files

0/0

0/0

0/0

69/69

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Web Files

0/0

4/4

0/0

0/0

0/0

0/0

0/0

0/0

212/212

0/0

0/0

0/0

Plugin Files

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Font Files

0/0

39/39

0/0

1/1

0/0

0/0

0/0

0/0

66/66

0/0

0/0

0/0

System Files

0/0

3/3

0/0

0/0

0/0

0/0

0/0

0/0

6/6

0/0

0/0

0/0

Settings Files

0/0

1/1

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Encoded Files

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

Compressed Files

0/0

22/22

0/0

20/20

6/6

0/0

0/0

0/0

2/2

0/0

0/0

3/3

Disk Image Files

0/0

15/15

0/0

0/0

0/0

0/0

0/0

0/0

87/87

0/0

0/0

0/0

Developer Files

0/0

10/15

0/0

22/22

0/0

0/0

0/0

0/0

19/19

0/0

0/0

12/12

Backup Files

0/0

13/13

0/0

24/25

0/0

0/0

0/0

0/0

0/0

0/0

0/0

177/1018

Misc Files

0/0

0/0

0/0

0/1

0/0

0/0

0/0

0/0

0/0

0/0

0/0

0/0

  Table 13. Search result (post-wipe/pre-wipe) part 2