Difference between pages "Research Topics" and "Damaged SIM Card Data Recovery"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Programming Projects)
 
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.
+
== Summary ==
  
==Research Projects==
+
A prerequisite for the use of SIMIS, is that the SIM card must be functional. A physically damaged, broken or dirty SIM may not function correctly, resulting in the recovery of corrupted data, or no data at all. In the forensic data recovery environment, SIM's will be presented in a variety of different conditions, ranging from good, but lightly soiled, through blood soaked to physically broken. Lightly soiled and blood soaked SIM's may be cleaned using appropriate methods, ensuring that the SIM is not further damaged taking care to preserve surface printing where possible.
===Flash Forensics===
+
Flash storage devices offer opportunities for recovering information that is not visible by going beneath the logical layer visible to users and most operating systems.
+
* Access the physical layer of SD cards and/or USB flash devices. Reverse-engineer the Flash Translation Layer to find deleted data and files.
+
''Necessary skills: social engineering the flash vendors; kernel programming; reverse-engineering.''
+
===Stream Forensics===
+
* Process the entire disk with one pass, or at most two, to minimize seek time.
+
===Evidence Falsification===
+
* Automatically detect falsified digital evidence.
+
===Sanitization===
+
* Detect and diagnose sanitization attempts.
+
===Timeline Analysis===
+
Write a new timeline viewer that supports:
+
* Logfile fusion (with offsets)
+
* Logfile correlation
+
* View logfiles in the frequency domain.
+
  
===Online Social Network Analysis===
+
However, physically damaged or broken SIM's require more specialised processing to produce a viable SIM for data recovery purposes. Crownhill has extensive experience in the area of SIM data recovery through its activity in the SIM manufacturing process. Crownhill works directly with the SIM silicon manufacturers and SIM card manufacturers. Processes developed to aid fault analysis and qualitative measurements are an invaluable advantage when attempting to repair and recover data from physically damaged SIM modules.
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
+
* Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
+
===Cell Phone Exploitation===
+
====Imaging====
+
* Image the contents of a cell phone physical memory using the JTAG interface.
+
====Interpretation====
+
* Develop a tool for reassembling information in a cell phone memory
+
  
==Programming Projects==
+
Crownhill have invested in purpose-built laboratory facilities to provide professional card cleaning, data recovery and card repair service. Based in discrete, secure premises, Crownhill can provide the full compliment of services required to clean, repair and recover data from damaged SIM's. Drawing on its own expertise and relationships with Card manufacturers and silicon vendors world-wide, Crownhill have created a centre of excellence for this specialised work. An overview of the procedures can be found here
===SleuthKit Enhancements===
+
[[SleuthKit]] is the popular open-source system for forensics and data recovery.
+
* Add support for a new file system:
+
** The [[YAFFS]] [[flash file system]]. (YAFFS2 is currently used on the Google G1 phone.)
+
** The [[JFFS2]] [[flash file system]]. (JFFS2 is currently used on the One Laptop Per Child laptop.)
+
** [[XFAT]], Microsoft's new FAT file system.
+
* Enhance support for an existing file system:
+
** EXT4
+
** Add support for NTFS encrypted files.
+
** Report the physical location on disk of compressed files.
+
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK. (I've already started on this if you want the code.)
+
''Necessary skills: C programming and filesystem familiarity.''
+
  
===fiwalk Enhancements===
+
Where a SIM is thought to be functional, Crownhill can provide a SIM cleaning service. Blood, soot, general soiling and body fluids are handled in an environmentally secure fashion, relieving the client of responsibility for Bio Hazards and other Health and Safety issues. Cleaned SIM's are returned without undue delay, ready for data recovery by the client. Cleaning by Crownhill must be carried out after the SIM has been pre-processed for any physical evidence required, such as Photography and DNA sampling.
* Rewrite the metadata extraction system.
+
Data Recovery Process
* Extend [[fiwalk]] to report the NTFS "inodes."
+
  
===AFF Enhancements===
+
== Data Recovery Process ==
* Implement a Java JNI interface for AFF (lets you read E01 and AFF files directly from Java)
+
===Time Stuff===
+
* Detect a system that has had its clock changed.
+
===Bulk Forensics===
+
* implement frag_find in Java
+
* Implement cross-correlation tools in Java
+
  
==Corpora Development==
+
If our findings suggest that data recovery is likely to be possible, the SIM may further examined by real time X-ray, to determine the extent of the damage. Specifically we will be looking for broken or damaged wire bonds, detachment of the silicon die and possible fractures of the die.
===Realistic Disk Corpora===
+
There is need for realistic corpora that can be freely redistributed but do not contain any confidential personally identifiable information (PII). These disk images may be either of an external drive or of a system boot drive. The drive images should have signs of ''wear'' --- that is, they should have resident files, deleted files, partially overwritten files, contiguous files, and fragmented files.
+
  
See:
+
=== Decapsulation ===
* Frank Adelstein (ATC-NY), Yun Gao and Golden G. Richard III (University of New Orleans): Automatically Creating Realistic Targets for Digital Forensics Investigation http://www.dfrws.org/2005/program.shtml
+
  
===Realistic Network Traffic===
+
Where a damaged bond wire(s) is clearly identified and if there is no obvious damage to the silicon die, the die encapsulation can be removed. The de-capsulation process requires a great deal of skill and the use of proprietary mixes of aggressive solvents and/or acids. The exact process used depends upon the.
Generating realistic network traffic requires constructing a test network and either recording interactions within the network or with an external network.
+
  
__NOTOC__
+
=== Testing ===
 +
 
 +
After de-capsulation, further electrical tests are carried out to confirm the viability of the recovered silicon die. The die bonding pads are then probed and once electrical connection is established, the silicon is accessed and the sim data recovered using proprietary software.
 +
 
 +
=== X-Rays ===
 +
 
 +
Real time X-ray examination is used to confirm the conclusions drawn from the preceding Physical, Optical and Electrical tests. X-ray examination is only undertaken where the integrity of the silicon die is thought to be uncompromised.
 +
 
 +
== References ==
 +
 
 +
1. http://www.3gforensics.co.uk/sim-card-data-recovery.htm

Revision as of 00:20, 24 September 2008

Summary

A prerequisite for the use of SIMIS, is that the SIM card must be functional. A physically damaged, broken or dirty SIM may not function correctly, resulting in the recovery of corrupted data, or no data at all. In the forensic data recovery environment, SIM's will be presented in a variety of different conditions, ranging from good, but lightly soiled, through blood soaked to physically broken. Lightly soiled and blood soaked SIM's may be cleaned using appropriate methods, ensuring that the SIM is not further damaged taking care to preserve surface printing where possible.

However, physically damaged or broken SIM's require more specialised processing to produce a viable SIM for data recovery purposes. Crownhill has extensive experience in the area of SIM data recovery through its activity in the SIM manufacturing process. Crownhill works directly with the SIM silicon manufacturers and SIM card manufacturers. Processes developed to aid fault analysis and qualitative measurements are an invaluable advantage when attempting to repair and recover data from physically damaged SIM modules.

Crownhill have invested in purpose-built laboratory facilities to provide professional card cleaning, data recovery and card repair service. Based in discrete, secure premises, Crownhill can provide the full compliment of services required to clean, repair and recover data from damaged SIM's. Drawing on its own expertise and relationships with Card manufacturers and silicon vendors world-wide, Crownhill have created a centre of excellence for this specialised work. An overview of the procedures can be found here

Where a SIM is thought to be functional, Crownhill can provide a SIM cleaning service. Blood, soot, general soiling and body fluids are handled in an environmentally secure fashion, relieving the client of responsibility for Bio Hazards and other Health and Safety issues. Cleaned SIM's are returned without undue delay, ready for data recovery by the client. Cleaning by Crownhill must be carried out after the SIM has been pre-processed for any physical evidence required, such as Photography and DNA sampling. Data Recovery Process

Data Recovery Process

If our findings suggest that data recovery is likely to be possible, the SIM may further examined by real time X-ray, to determine the extent of the damage. Specifically we will be looking for broken or damaged wire bonds, detachment of the silicon die and possible fractures of the die.

Decapsulation

Where a damaged bond wire(s) is clearly identified and if there is no obvious damage to the silicon die, the die encapsulation can be removed. The de-capsulation process requires a great deal of skill and the use of proprietary mixes of aggressive solvents and/or acids. The exact process used depends upon the.

Testing

After de-capsulation, further electrical tests are carried out to confirm the viability of the recovered silicon die. The die bonding pads are then probed and once electrical connection is established, the silicon is accessed and the sim data recovered using proprietary software.

X-Rays

Real time X-ray examination is used to confirm the conclusions drawn from the preceding Physical, Optical and Electrical tests. X-ray examination is only undertaken where the integrity of the silicon die is thought to be uncompromised.

References

1. http://www.3gforensics.co.uk/sim-card-data-recovery.htm