2 research outputs found
Acquisition and Analysis of Digital Evidencein Android Smartphones
From an expert's standpoint, an Android phone is a large data repositorythat can be stored either locally or remotely. Besides, its platform allows analysts toacquire device data and evidence, collecting information about its owner and facts underinvestigation. This way, by means of exploring and cross referencing that rich data source,one can get information related to unlawful acts and its perpetrator. There are widespreadand well documented approaches to forensic examining mobile devices and computers.Nevertheless, they are neither specific nor detailed enough to be conducted on Androidcell phones. These approaches are not totally adequate to examine modern smartphones,since these devices have internal memories whose removal or mirroring procedures areconsidered invasive and complex, due to difficulties in having direct hardware access. Theexam and analysis are not supported by forensic tools when having to deal with specific filesystems, such as YAFFS2 (Yet Another Flash File System). Furthermore, specific featuresof each smartphone platform have to be considered prior to acquiring and analyzing itsdata. In order to deal with those challenges, this paper proposes a method to perform dataacquisition and analysis of Android smartphones, regardless of version and manufacturer.The proposed approach takes into account existing techniques of computer and cellphone forensic examination, adapting them to specific Android characteristics, its datastorage structure, popular applications and the conditions under which the device wassent to the forensic examiner. The method was defined in a broad manner, not namingspecific tools or techniques. Then, it was deployed into the examination of six Androidsmartphones, which addressed different scenarios that an analyst might face, and wasvalidated to perform an entire evidence acquisition and analysis
Uma proposta de modelo para transmissão de dados interceptados na internet brasileira
Dissertação (mestrado)—Universidade Brasília, Faculdade de Tecnologia, Departamento de Engenharia Elétrica, 2012.O acesso ao teor das comunicações é uma ferramenta de grande importância para o conhecimento de ações desempenhadas por investigados, relações entre pessoas, seus hábitos, dentre outras informações relevantes a uma investigação criminal. No entanto, os órgãos de segurança pública têm grandes dificuldades em acessar os dados capturados por meio de uma quebra de sigilo telemático. Dentre as razões, estão a falta de padronização nos métodos utilizados pelas operadoras de telecomunicação para enviar dados aos investigadores e a variedade de formatos de arquivos de dados capturados. Assim, prejudica-se a automatização de tarefas, deixando-as mais ineficientes e suscetíveis a erros humanos. Além disso, as rotinas atualmente utilizadas não oferecem uma cadeia de custódia confiável ou garantias de autenticidade e integridade do tráfego interceptado. Existem leis, normas e resoluções que obrigam as operadoras de telecomunicação a fornecerem meios para que dados trafegados sejam interceptados quando da suspensão de seu sigilo. Entretanto, não há uma definição de como esses dados devem ser entregues. Esse trabalho apresenta um modelo de como as operadoras de serviços de telecomunicação deveriam encaminhar os dados de Internet interceptados aos órgãos de segurança pública e outras entidades envolvidas. O modelo foi criado tendo em vista a legislação vigente sobre o tema, normas e resoluções da Agência Nacional de Telecomunicações, do Poder Judiciário e do Ministério Público, e ainda baseado em características técnicas das operadoras. Ademais, métodos e padrões utilizados em outros países foram examinados e usados como referência para o modelo. O modelo proposto foi avaliado por meio da criação de um protótipo com o uso de ferramentas de software livre e programas especialmente desenvolvidos. O protótipo foi utilizado no relacionamento com provedores de serviço de comunicação das tecnologias ADSL, cabo e 3G. O modelo proposto foi considerado adequado. _________________________________________________________________________ ABSTRACTAccessing communication content is a very important tool for getting to know actions carried out by suspects, connections between people, their habits, as well as other relevant information to criminal investigations. However, law enforcement agencies have great difficulty in accessing data captured from lawful interceptions. This is largely caused by the lack of standards on how these data should be delivered to investigators and the variety of traffic data file formats. This impairs the automation of tasks, making them more inefficient and prone to human error. Moreover, procedures currently used do not provide a proper chain of custody or guarantees of authenticity and integrity to intercepted traffic that will be presented in court. In Brazil, there is legislation that requires Internet Service Providers (ISPs) to provide means of delivering data to law enforcement agencies when demanded by a court order. Nevertheless, there is no definition on how these data should be delivered. This document presents a model for how ISPs should send captured data to law enforcement agencies and other involved entities. The model was created compliant with national legislation on the subject, rules and resolutions of the National Telecommunications Agency (ANATEL), judiciary and public prosecution, moreover based on technical characteristics of Brazilian ISPs and telecom carriers, which are key players in providing Internet access. Furthermore, methods used for the same purpose in other countries have been examined and used as reference to improve the model. Finally, the model was evaluated using a prototype that was built with pieces of open source software and programs that were specially developed for the purpose of this work. The prototype was then used to successfully receive data from ISPs that used ADSL, cable and 3G technologies. The proposed model was considered satisfactory