Project 4 Mobile Forensics

I. Mobile Forensics Lab

1. Assignment Rules:
   1. Each student has to do the lab individually. No content directly quoted from Internet or other sources is allowed.
   1. Include your results in your Laboratory Report
2. Assignment Objectives:
   1. Become familiar with AccessData Mobile Phone Examiner Plus (MPE+) by analyzing Android and iPhone images.
   1. Analyze SQLite database data from one or more files found in mobile phone images.
   1. Analyze the WiFi personal network list configuration file found in a mobile phone image.
   1. Utilize open source tools to identify the geo location of WiFi access point information found in the mobile phone image.
3. Competencies: Mobile Forensics
4. Lab Overview: As you perform this lab, you will reinforce the concepts learned in the steps of your ELM classroom. The purpose of this lab is to have hands-on experience analyzing a mobile phone image. During this lab you will use MPE+ to view and analyze a mobile phone image that has been provided with this project.

You will use the UMUC Virtual lab environment to access the vulnerability assessment tools you need for this lab (i.e. MPE+). These tools are already installed in the UMUC Virtual Lab VM WINFOR01.

• Important Lab Information:
  • Appendix A contains all the detailed Lab Instructions. After reading all the information in this section, use Appendix A to perform the lab exercises.
  • Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open source links that help you understand the tools you will use in this lab.
  • Connect to the lab environment following the connect instructions provided in your classroom (let your instructor know if you cannot locate the connect instructions). Contact lab support if you need general technical support related to your virtual lab environment and associated lab exercises. After you have successfully connected to the lab environment, proceed to next step in order to run the tools associated with this project.
  • Run MPE+.

Follow the instructions provided in the MPE+ section I of Appendix A . Review the open source links for MPE+ available in the Lab Resources in order to understand this tool and interpret its results.

• Compile your findings and incorporate it in your deliverables for this project.

II. Lab Resources

Lab Credentials:

User: StudentFirst
Pass: Cyb3rl@b

Application websites

• MPE+
  • http://accessdata.com/solutions/digital-forensics/mpe
• Wigle.net
  • http://www.wigle.net
• wpa_supplicant.conf
  • https://linux.die.net/man/5/wpa_supplicant.conf

Application documentation

• MPE+
  • http://accessdata.com/solutions/digital-forensics/mpe/resources
• Wigle.net
  • http://www.wigle.net
• wpa_supplicant.conf
  • https://linux.die.net/man/5/wpa_supplicant.conf

Application videos online

• MPE+
  • https://www.youtube.com/watch?v=K1LHCCDUcSU
  • https://www.youtube.com/watch?v=xtkM30BBcUc

APPENDIX A (Lab Instructions)

Return to Important Lab Information

1. Mobile Phone Examiner Plus (MPE+), SQLite Data and Wigle.net,

What is MPE+? MPE+ is a stand-alone mobile device investigation solution that includes enhanced smart device acquisition and analysis capabilities.

What is SQLite? SQLite is popular database manages data for applications on Android, iOS and many other operating systems such as Linux. SQLite database files (.db) are frequently found on mobile devices images.

What is Wigle.net? wigle.net is a free web site that provides a database of known WiFi hotspots, there names (SSID), geo locations, MAC addresses, and more.

For this lab, use the MPE+ software tool installed in the WINFOR01 Windows VM. Familiarize yourself with the open source links provided in the Lab Resources in order to learn more about these tools. Wigle.net is accessed via an Internet browser on your local computer.

Overview: For this lab, you will become familiar with MPE+, SQLite database files, and WiFi personal access list data analysis. You will analyze a mobile phone image (provided to you) as well some specific files found within the mobile phone image. You will load the mobile phone image file in to MPE+ from the desktop of WINFOR01 → Lab Resources → Project 4 → Module 1

→ Module 1. Double Click Mobile Phone Examiner Plus 5.6.0 to start the MPE+ software

MPE+ iPhone Image Analysis

1. Start the Access Data MPE+ software found on your lab machine and then open the iPhone image file.
2. Open the iPhone image file and explore the information found within the iPhone image.
   1. Click the Import Image File link found under Quick Links
   1. The iPhone image file is found in Lab Resources -> Project 4 -> Module 1 -> Module 1 -> iPhone3g_…

• Click on the Data Views menu and then answer the following questions for both the iPhone image:
  • How many SMS messages are there in the image?
  • How many contacts are in the image?
  • How many emails are in the image?
  • How many Notes are in the image?
  • How many Contacts are in the image?
• Click the Data Views menu then the Files menu. Navigate the file system to iphone3g/private/var/mobile/Media/DCIM/Exif
  • View the Exif data for file 00336CE7.jpg. the Exif data will appear in a tab to the right when you click the 00336CE7.jpg file.
  • What is the GPSLatitude and GPSLogintude where the picture was taken?

• Highlight the thumbnail image for 0036CE7.jpg, right click on the 0036cE7.jpg file, and then select Export to export the file from the iPhone image. Save the file to your default location.
• From the Data Views menu click the Call History menu item.
  • Sort the call data by duration by double clicking the header of the duration column. Which calls had the longest duration?

• Select the Data Views menu and then the Browser History menu item. Sort the information by the No. of Visits column by double clicking the column header. Which web site URL was visited the most number of times?

MPE + Android Image and SQLite

1. Open the Android image file and explore the information found within the Android image.
   1. Click the Import Image File link found under Quick Links
   1. The iPhone image file is found in Lab Resources -> Project 4 -> Module 1 -> Module 1 -> userdata.dd2.yaffs2

• Click the Data Views menu and then click the Files menu item.
• Navigate the file system to root/data/com.android.providers.contacts/contacts.db.

Right click the contacts.db SQLite database file and select “SQLite Explorer” from the popup menu to view the database structure and data.

Within the contacts.db, review the data in the calls table. How many call rows are there?

• Review the people table data. How many people rows are there? How does this data relate to the Contacts information founder under the Data View menu Contacts menu item?
• Click the Data Views menu and then click the Call History menu item. Note the same two calls are displayed that were displayed in the calls table of the contact.db database.
• Right click on the contacts.db and select “Export” from pop-up menu to export the contacts.db database file to the file system.
• Select the Data Views menu and then the Browser History menu item. Sort the information by the No. of Visits column by double clicking the column header. Which web site URL was visited the most number of times?

Android Image – WiFi Personal Network List Analysis

1. Select the Data Views menu and then the Files menu item. Locate the file root/data/misc/wifi/wpa_supplicant.conf. View the contents of this file.

• What is the overall purpose of the wpa_supplicant.conf file on an Android device? Research this using the resources found in the Lab Resources section of this document.
• What is the purpose of the ssid, key_mgmt, and psk attributes found in the wpa_supplicant.conf file? Provide a brief definition for each attribute. Research this using the resources found in the Lab Resources section of this document.
• The wpa_supplicant.conf file data can be used by an investigator to determine geo locations the subject has visited. https://www.wigle.net can be used to lookup the geo location of known WiFi access points by SSID name.
  • Using your local computer and an Internet Browser, go to the web site https://www.wigle.net, register as a new user, and then login.
  • Click on the red “View” icon in the upper left corner as seen in the screenshot on the following page.
  • Open the wpa_supplicant.conf file that is found under the Lab Resources / Project Resources / Project 4 folder not the file found in the Android image.
  • Within wigle.net on Network Search page enter the name of the first SSID that was found in the wpa_supplicant.conf file and then click the Query button. See the example screenshot on the following page.
  • A list of known WiFi access points with a matching SSID name are listed. Click the map button next one of the items in the list to view the geo location of the SSID. Zoom the map in and out using the + and – symbols. See the example screenshot on the following page.
• Using the wigle.net query results and map, identify the MAC address, latitude, and longitude values for each SSID found in wpa_supplicant.conf.
  • There may be more than one SSID found within wigle.net for each SSID name query, focus your search on the geography of the Mar-a- Lago resort in Miami, Dulles airport Washington DC, McCarran Airport Las Vegas, the Mandalay Bay Hotel Las Vegas, and Chapel of the Bells Las Vegas.

www.wigle.net

View / Search Page

Search Results of SSID value

Map Selection

Step by Step Instructions:

1. On the desktop of the VM WINFOR01 → Lab Resource → Applications
   → locate and launch Mobile Phone Examination Plus 5.6.0 (MPE+)
2. Load the image files provided to you (as explained in the Overview).
3. Analyze the image files by using MPE+ to browse the information in the image file, SQLite Browser, and www.wigle.net.
4. Answer all questions found in the Overview.
5. Make note of your findings in the Laboratory Report.