Embedded Files
Seizing a mobile device during an investigation?ย
Then diving in without a plan could cost us critical evidence..
I call mobile preservation/acquisition as ๐๐ข๐ ๐ข๐ญ๐๐ฅ ๐ฆ๐ข๐ง๐๐๐ข๐๐ฅ๐ for a reason.
Yes, from lock screens to everywhere data encryption and remote-wiping apps, it is not straightforward and one wrong move could cost you critical evidence.
That is the reason having a clear, step-by-step acquisition checklist is a necessity step.
Knowing what to do first, at what stage and how to acquire the most possible data before it disappears.. is crucial.
Below is the brief about it, and here is a diagram I showed for the acquisition's procedures from SWGDE (https://www.swgde.org/)
Here are some key terms that you may want to know:
- ๐๐๐ญ๐๐ซ ๐ ๐ข๐ซ๐ฌ๐ญ ๐๐ง๐ฅ๐จ๐๐ค (๐๐ ๐/๐๐จ๐ญ): A collection of available data from a powered-on device that has been unlocked at least once since the last operating system boot.
- ๐๐๐๐จ๐ซ๐ ๐ ๐ข๐ซ๐ฌ๐ญ ๐๐ง๐ฅ๐จ๐๐ค (๐๐ ๐/๐๐จ๐ฅ๐): A collection of available data from a powered-on, locked device that has not been unlocked since the last operating system boot.
- ๐ ๐ฎ๐ฅ๐ฅ ๐ ๐ข๐ฅ๐ ๐๐ฒ๐ฌ๐ญ๐๐ฆ (๐ ๐ ๐): A complete collection of all available active files and
folders.
- ๐๐จ๐ ๐ข๐๐๐ฅ: A process that requests file data from the operating system, which then interprets and returns the resultant data by using such techniques like backup utilities, application agents, and manual interaction.
- ๐๐ก๐ฒ๐ฌ๐ข๐๐๐ฅ: A process that extracts data via a direct connection to the device storage area.
This includes one of 4 methods below. The resultant data from a device that utilizes File-Based Encryption (FBE) or Full-Disk Encryption (FDE) will be encrypted.
- ๐๐จ๐จ๐ญ ๐๐จ๐๐๐๐ซ: Code that executes in a runtime environment prior to operating system initialization. Physical acquisitions using this method replace the existing code.
- ๐๐ก๐ข๐ฉ-๐๐๐: A destructive process that involves the removal and reading of a
memory chip to conduct analysis.
- ๐๐ง-๐๐ฒ๐ฌ๐ญ๐๐ฆ ๐๐ซ๐จ๐ ๐ซ๐๐ฆ๐ฆ๐ข๐ง๐ (๐๐๐): A process to read data from an embedded
Multi-Media Card (eMMC) chip. This process involves the disassembling of a
device without removing the eMMC from the PCB.
- ๐๐จ๐ข๐ง๐ญ ๐๐๐ฌ๐ญ ๐๐๐ญ๐ข๐จ๐ง ๐๐ซ๐จ๐ฎ๐ฉ (๐๐๐๐): In physical acquisitions, data is acquired via disassmelbing the device and connection to these defined test access ports.
--
- ๐ ๐ข๐ฅ๐-๐๐๐ฌ๐๐ ๐๐ง๐๐ซ๐ฒ๐ฉ๐ญ๐ข๐จ๐ง (๐ ๐๐): A method of protecting files on storage media by using unique encryption keys per file.
- ๐ ๐ฎ๐ฅ๐ฅ-๐๐ข๐ฌ๐ค ๐๐ง๐๐ซ๐ฒ๐ฉ๐ญ๐ข๐จ๐ง (๐ ๐๐): A method of protecting a specific storage area using a single encryption key.ย
Page updated
Google Sites
Report abuse