9

What is the best way of forensically determining that spyware software has been installed on the phones without making any changes to the phone(s)?

I have Blackberry and iPhone 4 phones that are suspected of having spysuite software (CellSpyNow) installed on them. It is suspected that a former employee has installed the software on company owned phones when the phones had been left unattended.

Through other work, we have evidence that CellSpyNow web front end has been used by the individual and there are other suspicions that SMS's have been intercepted and acted upon.

Software like this is designed to provide the attacker with SMS's, call data, camera pictures and so on that is usually uploaded to a central website that is accessible by the attacker using a username/password.

Callum Wilson
  • 2,533
  • 10
  • 15

2 Answers2

9

If I were in your position, I would grab complete image(s) of the individual mobile device(s) to forensically analyze the images using another, independent system because…

  1. You do not have to install anything on the related mobile devices as you can analyze the device image(s) on your other system with any tool you like/want/need.
  2. You can modify (in the sense of “cleaning up suspicious and/or malicious data”) the image as needed and push the checked and cleaned image(s) back to the individual mobile device(s).
  3. You have image(s) of the mobile device(s) which can act — if needed — as forensic proof and legal evidence.

If you do not know how to create and analyze such device images but are almost sure that the devices are indeed compromised, it's time to get professional help from an information security specialist… your best choice will be an forensic analyst in this case.

Additionally, since you are describing a situation that could involve a commercial environment (work/company), you should also reach out for legal advise in case you actually manage to identify the person(s) who have compromised your devices.

As you might know, governmental institutions and agencies (including “ye regular police”) have access to specialists like forensic analysts. Most probably, they are your best choice when it comes to "securing proof" and "defending your rights" (in a legal sense).

The above approach has a high potential to close the loop of your security problem without too much impact, while providing you with a good stand when legal consequences start gaining importance to you.

EDIT

The following information will be of use to you:

Whatever you do, do not destroy or modify digital evidence. That's why I am advising a forensic analyst instead of doing research and analysis yourself. And let's be honest — if you were trained in digital forensics, you wouldn't have asked the question in the first place. Instead, you would have applied the 6 Phases of Incident Management…

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Training

… using the appropriate proceedings and tools.

EDIT

Due to the comment(s) talking about iPhone and iPad imaging, I would like to note that when I talk about imaging for forensics purposes, I am talking about "professional digital forensics software" that fits the individual needs and purposes of the analyst.

This is a list of currently available tools which I would use (depending on the situation and needs) for iPhone/iPad:

  • Black Bag Technology Mobilyze
  • Cellebrite UFED
  • EnCase Neutrino
  • FTS iXAM
  • iPhone Analyzer
  • iphone-dataprotection
    ~ A set of tools that can image and decrypt an iPhone. The tools can even brute-force the iPhone's 4-digit numerical password.
  • iOS Forensic Research (Available to law enforcement only!)
    ~ Among many things, Jonathan Zdziarski has released tools that will image iPhones, iPads and iPod Touch.
  • Katana Forensics Lantern
  • libimobiledevice
    ~ A library with utilities for backing up iPhones. The output format is an iTunes-style backup that can be examined with traditional tools. They are available in the Debian-testing packages libimobiledevice and libimobiledevice-utils.
  • Logicube CellDEK
  • MacLock Pick
  • Micro Systemation .XRY
  • Mobile Sync Browser
  • Nuix Desktop and Proof Finder
    ~ Tools that can detect and analyse many databases from iOS and iPhones and can directly ingest HFSX dd images.
  • Oxygen Forensic Suite 2010
  • Paraben Device Seizure
  • SpyPhone

I'll spare you listing the appropriate tools for Android, Blackberry and other mobile devices, which each have their own set of forensics tools. I'm convinced you don't really need a list of tools, since any forensics specialist knows them. If you don't, you're not a digital forensics professional… yet.

Now, if you want to dive in a bit deeper into digital forensics, you should take a look at

which provides some pretty good heads-up information for people who aren't educated in the field.

Also, you should read some books on the subject like "iPhone and iOS Forensics".

If you're still interested in digital forensics after reading a dozen of books and getting your hands dirty by trying it on your own devices, I would like to advise you to reach out for an according digital forensics education. It's an interesting field and you can trust me when I say: "it never gets boring."

e-sushi
  • 1,296
  • 2
  • 14
  • 41
  • 1
    The work is pre-trial evidence gathering - however, what I'd be interested in is how to digitally image a phone such as an iphone that can be done at a cost that makes sense for the client. – Callum Wilson Jul 25 '13 at 11:52
  • note: clearly there are three ways of imaging an iphone: Zdziarski, jailbreak or using software like IXAM. However, Zdziarski and Jail breaking both alter the phone and the Zdziarski method only gives one access to the user file area. I've not used FTS iXAM before. Therefore, whilst it is easy to write an answer saying "image the phone" - it's actually quite a hard thing to do for later model iPhones and, as far as I can see, they only image of the user file area (which is of little interest to me) – Callum Wilson Jul 25 '13 at 12:30
  • @CallumWilson A reply here in the comments would have been too long to fit. Therefore, I've updated my answer with an **EDIT**. It would be great if you could take the time read it, as I can't help getting the feeling that you have not yet professionally worked in the field and are therefore missing a big piece of the knowledge cake. Please don't get me wrong — I don't want to step on your toes… but I've professionally used all the tools I'm listing in my edit, while you can merely list 3 tools of which you've only used 2. That indicates I might be *a little* ahead of you in digital forensics. – e-sushi Jul 25 '13 at 15:40
  • thanks. I've/My company has plenty of forensics and legal experience but mobile, especially iThings are new. Answer has been helpful to convince me to outsource this bit of the job and look at investing in this area in the longer term. thanks! – Callum Wilson Jul 26 '13 at 13:15
  • @CallumWilson Glad I could contribute something useful to help. Well, good luck hunting then… ;) – e-sushi Jul 26 '13 at 13:26
6

The easiest way would be to disable the cellular modem and leave them on wifi. You can then monitor the connections they make for anything going to unexpected servers. That will be significantly easier than trying to gain access to the cellular traffic.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • This answer allows for a non-intrusive "quick check" and allows the phone to operate normally without affecting the evidence. We could ring it, SMS it and so on and look for spurious traffic with a sniffer. – Callum Wilson Jul 24 '13 at 15:57
  • Whoever downvoted, could you please comment as to why you don't think traffic analysis is a viable way to identify a hidden piece of software that might be transmitting data to a third party? If the device can't be tampered with or trusted, monitoring it's connection to the outside world is the best bet. – AJ Henderson Jul 24 '13 at 17:04
  • I guess he/she saw the *"without making any changes"* part of the question. And indeed, disabling the cellular modem and switching to WIFI is a change of configuration. On the other hand, you are correct when you write that intercepting and analyzing the traffic provides (if you know what you're doing and what to look for) a pretty good hint if a device may be compromised or not. It won't be forensic evidence though… Also, the spy software may notice the difference of connections and simply transfer no data via WIFI but only via the cellular modem. But I'm taking security too far, ain't I? ;) – e-sushi Jul 24 '13 at 18:43
  • @e-sushi - I'm not sure that it wouldn't be forensic evidence since the software isn't actually being altered. Entering airplane mode isn't significantly different from trying to boot up an image on different hardware. It's still a non-destructive processes. An alternate approach would also be to toss it in a faraday cage if turning off cellular was considered too much of a change. – AJ Henderson Jul 24 '13 at 19:16
  • *"It's still a non-destructive processes."* …unless the software is (eg) self-destructive when detecting changes. Don't forget that **"containment"** is the step that protects the digital evidence. That's why no one employed at any governmental agency worldwide will ever touch a *"suspect system"*, let alone reconfigure it's settings, without an "OK" from their forensics specialist. Only when an incident is ongoing and obviously impacts the security of other devices in an active way, it may be *"cut off"* from electricity… meaning: physical unplugging, not a *"shutdown"* procedure or anything. – e-sushi Jul 24 '13 at 19:42
  • I should note that whilst the phones have been used by staff continually, it would be prudent to work from an image and follow (my country) evidence gathering framework otherwise the argument will be destroyed in court. Even if I find a positive evidence it probably won't be used directly, instead we'll go after the spysuite service provider for evidence. – Callum Wilson Jul 25 '13 at 11:56
  • @CallumWilson - yeah, if you have the resources to make an image, that is preferable. I just put my idea out there as it is a cheap and minimally invasive way to attempt to determine if there are issues without risking further software being installed by you by accident. – AJ Henderson Jul 25 '13 at 13:31
  • @CallumWilson The trick behind the imaging for forensic analysis is that you won't be messing with the devices themselves. If you mess up an image, you can start fresh with a copy of the image. I think it's clear that the non-modified devices themselves will be the main digital evidence, not your images. Those only prove (a) that you confirmed your suspicion via an image and not via the device itself and (b) that you therefore did not mess with the devices themselves while gaining that confirmation. – e-sushi Jul 25 '13 at 16:25
  • 1
    @CallumWilson Since you noted you plan to go after the spysuite service provider, please don't forget to check ["Terms & Conditions - Refund Policy - Legal Info" — sect. "5. Legality"](http://www.cellspynow.com/Terms_Legal_Info-Refund_Policy.html) as I'm not sure if that has any legal impact in your jurisdiction. I'm not a lawyer. As much as I know about forensics, as much knowledge am I missing in the legal field… I'm merely giving you a heads-up on what I found after I stumbled over their site. In my country, I would have to legally pursue the former employee who actively compromised stuff. – e-sushi Jul 25 '13 at 22:53
  • 1
    AJHenderson - a slightly different idea would be jamming the cell and then doing the wifi monitoring. Please note it may be illegal in your jurisdiction. – Deer Hunter Jul 28 '13 at 07:31
  • @DeerHunter instead of performing a probably illegal jamming, just move the phone somewhere with no cell coverage. Usually fairly easy to find a spot... Or if not, a metal box will provide one. You can put an AP there, so it still has WiFi. – derobert Jul 30 '13 at 19:40
  • @derobert - I think he was responding to my earlier comment that a Faraday cage (such as say an old microwave) would work wonders if you put a wifi hotspot in with it via a wire. – AJ Henderson Jul 30 '13 at 19:43