Perfect Acquisition Part 1: Introduction

March 28th, 2023 by Elcomsoft R&D
Category: «General»

Forensic acquisition has undergone significant changes in recent years. In the past, acquisition was relatively easy, with storage media easily separable and disk encryption not yet widespread. However, with the rise of mobile devices and their built-in encryption capabilities, acquiring data has become increasingly challenging. Traditional approaches like disk dumps are no longer feasible, and software exploitation has become the industry standard. Despite these methods, there are limitations to mobile acquisition, including the need to collaborate with the device, the possibility of hardware defects or deliberate data tampering. As a result, there is a need for continuous innovation in forensic acquisition to address these challenges and ensure accurate and reliable data collection.

Forensic acquisition in the past

In the early days, forensic acquisition was easy. Storage media was easily separable, and disk encryption wasn’t common. You simply took out the hard drive from the computer, made a bitwise copy of it, and you were done with the acquisition step. The data could then go to the analysis phase.

Nowadays, things are very different. Looking at mobile forensics like phones and tablets, flash storage media is soldered directly onto the device mainboard and is not easily separable. Furthermore, widespread disk encryption prevents access to data, even if one were to go through lengthy efforts to desolder the flash.

With traditional desktop disk encryption, you could decrypt the data on any machine assuming you know the key or even crack the key on a high-performance GPU cluster if you don’t know it. However, on mobile devices, hardware encryption engines with fused unique device keys and security co-processors make it very difficult to access those keys.

Accessing those keys suddenly becomes extremely difficult, and brute-forcing unknown passcodes becomes time-consuming or sometimes even impossible. Either way, in most cases, code execution on those extremely well-protected devices is required to be able to access the data.

Modern mobile forensics

As classical forensic disk dumps became infeasible and running some kind of software on the target device became a must, the forensic industry shifted to other, less ideal means of accessing the data. The easiest solution to the problem is to create a backup where the device cooperates and sends out the data already decrypted. However, this approach usually requires being already fully authenticated and even then doesn’t send all of the device data.

Another approach is to exploit the device through software vulnerabilities and access the data from a running system with higher privileges. In fact, this approach became the industry standard, as it’s most of the time the only viable way to access the data.

Many solutions on the market exist that share the general idea but differ in how the method is applied in practice. For example, one can remotely install a trojan and access the data when the legitimate user unlocks the device. While this is the shadiest, it’s unfortunately one of the most common ways to access data nowadays. Another very similar method is to install an application to a seized device in physical possession, which uses software vulnerabilities to exploit the operating system, elevate privileges, and retrieve the data. The downside of this is that it often requires already knowing the passcode to install the application in the first place.

Sometimes very powerful exploits exist for a particular device, which compromise the security of the device at a very early stage, allowing for the execution of fully custom code, which in theory, removes the need to rely on any unknown code at all.

Current limitation of mobile acquisition

Many of the methods (sometimes unavoidably) alter some of the data on the device during operation, such as causing log entries. Most of the time, it is not possible to create two complete dumps of the device that are identical, thus breaking the core principle of forensic sound acquisition (repeatability).

However, there is an even greater issue. Except for the case where one executes fully custom code on the device, all current methods have one fundamental underlying problem: they require, to some extent, collaboration with the device, and thus, to some extent, we need to trust the device to give us the correct data. But this isn’t necessarily always true! What if the device is malfunctioning and can no longer cooperate with us? What if the software running on the device hides some data from us? What if a device infected with malware deliberately lies to us about data on the device during the acquisition? How can we be sure that the data returned is actually truly valid, correct, and untampered? While in many cases, we can assume that the acquired data is good and with certain methods the likelihood of something fishy going on is extremely low, the truth is that we can never be 100% sure!

Another, more likely, problem is hardware defects in devices that prevent acquisition software from running. For example, if the device has been dropped in water and is no longer booting, it may still have a functioning flash chip. Of course, you could try to fix the mainboard, but without knowing which component broke, that could turn out to be a difficult task.

Obviously, there is no magic solution to all possible problems, but once in a while we can solve some of them.

Conclusion

Mobile forensics has evolved significantly in recent years due to the increasing complexity of mobile devices and their security features. As a result, the traditional approach of forensic disk dumps has become infeasible, and the industry has shifted towards exploiting software vulnerabilities on the device to access data. However, these methods have their limitations, such as the potential for data alteration during acquisition and the need to trust the device to provide correct data. Despite these limitations, the forensic industry continues to work towards finding solutions to these problems to ensure the integrity of the acquired data. Overall, while there is no magic solution to all possible problems, ongoing research and development in the field of mobile forensics will undoubtedly yield more effective and reliable acquisition methods in the future. Stay tuned for part 2!