MSAB XRY & XAMN Training Module 1 PDF
Document Details
Uploaded by WellManagedEllipse
Staffordshire University
Tags
Summary
This document is a training module about XRY & XAMN, covering topics such as course introduction, learning outcomes, mobile phone terminology, and introduction to the XRY software system. It's a training module, not an exam paper.
Full Transcript
23/11/2022 Chapter List: 1. Course Introduction...
23/11/2022 Chapter List: 1. Course Introduction 2. An Overview of XRY 3. Hardware & Equipment 4. An Overview of XAMN Module 1 Introduction to XRY & XAMN XRY Version: 10.0 1 Module 1 Introduction to XRY & XAMN 1.1 - Course Introduction 1.1.1 - Introduction Welcome to the XRY Certification Course This course is designed to help you develop your skills and understanding of what capabilities XRY and XAMN can offer, and how they can enable you to carry out mobile forensic extractions across a huge range of devices. During the course you may encounter: Knowledge checks Instructor led learning Interactive Exercises Videos and Simulations & Quizzes XRY Version: 10.0 2 2 1 23/11/2022 Module 1 Introduction to XRY & XAMN 1.1 - Course Introduction 1.1.2 – Learning Outcomes Learners should be able to achieve the following by the end of the course: 1. Describe what the XRY software system is and what its basic functions include, in such a way that can be included within a legal statement. 2. Identify the different platforms that XRY can be installed upon. 3. Identify the four main principles of handling digital evidence and describe how these relate to mobile forensic investigations. 4. Carry out logical digital forensic extractions of handsets, SIM cards and memory cards in accordance with good digital forensic practice. 5. Recognise some of the differences and challenges around different types of digital forensic extractions. 6. Carry out simple analysis on extracted data using MSAB tools, identifying different data types. 7. Generate digital forensic reports of your findings, checking and critiquing your results to form measured conclusions. XRY Version: 10.0 3 3 Module 1 Introduction to XRY & XAMN 1.1 - Course Introduction 1.1.4 – Mobile Phone Terminology Throughout the course, you will find the course materials referring to feature phones and smartphones. To clarify and confirm what we mean when we say either, we provide the following definitions. Feature Phone Smartphone A feature phone comes with a fixed set of A smartphone's capabilities can be improved features. The handsets capabilities cannot be and customized via updates from the added to or improved. manufacturer/service provider and by the addition of Apps to increase functionality. XRY Version: 10.0 4 4 2 23/11/2022 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.1 – Chapter Introduction 1.2 – An Overview of XRY In this brief chapter, we shall take a look at what XRY is, how it fits into the MSAB Ecosystem, as well as provide an overview as to how the product operates and functions. XRY Version: 10.0 5 5 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.2 – What is XRY? Forensic Data Recovery & Extraction XRY extracts more data, in less time, with full integrity XRY is a powerful, intuitive and efficient software application XRY runs on the Windows operating system XRY Version: 10.0 6 6 3 23/11/2022 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.2 – What is XRY? The interface is intuitive and user-friendly information is instantly reviewable as well as credible in a court of law Several different examinations can be stored together throughout the chain of custody XRY Version: 10.0 7 7 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.3 – The MSAB Ecosystem Combined, all our products, platforms, and services now form a complete ecosystem of mobile forensics that protects our customers throughout the evidence chain. XRY Version: 10.0 8 8 4 23/11/2022 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.4 – MSAB Product Families As you can see from the Ecosystem, MSAB has a vast range of platforms and products available to support investigators and examiners during every phase of an investigation taking them from crime scene to court and beyond. The tools can be separated into three distinct families of products and can be found on several different hardware platforms depending on the investigators’ needs. XRY Version: 10.0 9 9 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.5 – The XRY Interface XRY – Start Page XRY – Menu The XRY Wizard XRY Version: 10.0 10 10 5 23/11/2022 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.5 – The XRY Interface EXERCISE XRY Options Follow the guidance from your Instructor to complete the exercise. XRY Version: 10.0 11 11 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.5 – The XRY Interface EXERCISE Extraction Interface Follow the guidance from your Instructor to complete the exercise. XRY Version: 10.0 12 12 6 23/11/2022 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.5 – The XRY Interface EXERCISE Device Finder Follow the guidance from your Instructor to complete the exercise. XRY Version: 10.0 13 13 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.6 – MSAB Drivers When you install XRY on to your PC, you have the option to use MSAB drivers all the time or just when the XRY Wizard is running. The latter is the recommended choice and enables you to easily use other tools and software on your workstation that may require specific drivers to function correctly. You can change this setting at any time by going to your System Tray in the bottom right corner of the Windows desktop and double- clicking (or right-clicking) on the XRY SysTray Tool. XRY Version: 10.0 14 14 7 23/11/2022 Module 1 Introduction to XRY & XAMN 1.2 – An Overview of XRY 1.2.6 – MSAB Drivers EXERCISE Create an Empty Case Follow the guidance from your Instructor to complete the exercise. XRY Version: 10.0 15 15 Module 1 Introduction to XRY & XAMN 1.3 – Hardware & Equipment 1.3.1 – Chapter Introduction 1.3 – Hardware & Equipment In this chapter, we shall briefly explore and compare the different hardware platforms where you may find XRY installed. We shall also identify some of the additional hardware and equipment you may have also purchased or received from MSAB, to assist in your examinations. XRY Version: 10.0 16 16 8 23/11/2022 Module 1 Introduction to XRY & XAMN 1.3 – Hardware & Equipment 1.3.2 – MSAB Platforms Four common platforms... At MSAB we offer four common platform solutions: MSAB Kiosk MSAB Tablet MSAB Field MSAB Office/Express The Kiosk, Tablet, and Field platforms are hardware platforms that MSAB can supply to customers, with pre- installed MSAB software and configurations. Each platform and product variation is designed to be ideally suited to different situations and configurations, providing a comprehensive range of options to suit the needs of every organization. XRY Version: 10.0 17 17 Module 1 Introduction to XRY & XAMN 1.3 – Hardware & Equipment 1.3.3 – MSAB Equipment EXERCISE MSAB Equipment Follow the guidance from your Instructor to complete the exercise. XRY Version: 10.0 18 18 9 23/11/2022 Module 1 Introduction to XRY & XAMN 1.3 – Hardware & Equipment 1.3.4 – License Keys XRY has three distinct types of licenses that allow different functions and capabilities to be made available to users. These different levels are known as: ISP Restricted Physical Logical For more information refer to https://www.msab.com/support/faq/ XRY Version: 10.0 19 19 Module 1 Introduction to XRY & XAMN 1.3 – Hardware & Equipment 1.3.5 – Multiple Extractions XRY allows you to connect and extract data from up to three devices simultaneously by opening three separate instances of XRY on your forensic workstation. This is why the XRY hub has three USB ports for device extractions. You can have any combination of devices This means you could have a handset, a SIM card, and a memory card running at the time These could also all be part of the same case or part of separate cases...the choice is entirely yours. XRY Version: 10.0 20 20 10 23/11/2022 Module 1 Introduction to XRY & XAMN 1.3 – Hardware & Equipment 1.3.6 – The XRY Library App MSAB also offer their XRY Library app which is a quick reference guide for investigators and examiners to allow them to quickly browse the XRY Device Manual and search for supported devices and apps. XRY Version: 10.0 21 21 Module 1 Introduction to XRY & XAMN 1.4 – An Overview of XAMN 1.4.1 – Chapter Introduction 1.4 – An Overview of XAMN In this brief chapter, we shall take a look at what XAMN is, how it fits into the MSAB Ecosystem, as well as provide an overview as to how the product operates and functions. XRY Version: 10.0 22 22 11 23/11/2022 Module 1 Introduction to XRY & XAMN 1.4 – An Overview of XAMN 1.4.2 – What is XAMN? Comprehensive tool for analysis and review of extracted data Features to enable the searching, filtering and analysis of digital data Can ingest and display different file formats for review and interpretation XAMN is a suite of tools, each with specialist functions and capabilities - MSAB - XAMN Product (https://www.msab.com/products/xamn/) XRY Version: 10.0 23 23 Module 1 Introduction to XRY & XAMN 1.4 – An Overview of XAMN 1.4.3 – The XAMN Tools The XAMN Suite of tools comprises of four main software products built into XAMN, each of which activates with different licenses available from MSAB. XRY Version: 10.0 24 24 12 23/11/2022 Module 1 Introduction to XRY & XAMN 1.4 – An Overview of XAMN 1.4.4 – XAMN Product Functions Each of the XAMN products within the XAMN Suite has different capabilities and functions that are available once the relevant license has been purchased and made available to XAMN. Here you can see some of those functions. Take particular note of the differences between Viewer and Spotlight. XRY Version: 10.0 25 25 Module 1 Introduction to XRY & XAMN 1.4 – An Overview of XAMN 1.4.5 – The XAMN Interface XAMN – Start Page XAMN – Start Page XAMN – Extraction (no case) (case opened) View XRY Version: 10.0 26 26 13 23/11/2022 Module 1 Introduction to XRY & XAMN 1.4 – An Overview of XAMN 1.4.5 – The XAMN Interface EXERCISE XAMN Interface Overview Follow the guidance from your Instructor to complete the exercise. XRY Version: 10.0 27 27 Module 1 Introduction to XRY & XAMN 1.5 – End of Module Knowledge Check 1.5 – Questions 1 to 5 End of Module Knowledge Check Questions 1 - 5 Follow the guidance from your Instructor to complete the knowledge check. XRY Version: 10.0 28 28 14 23/11/2022 Chapter List: 1. What is Digital Evidence? 2. Principles of Digital Evidence 3. Handling Digital Evidence 4. Digital Devices 5. Forensic Data Recovery Module 2 Devices & Digital Evidence XRY Version: v 10.0 1 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.1 – Chapter Introduction 2.1 – What is Digital Evidence? What is Digital Evidence? It is a question that could result in several different answers depending on who you speak to, or what you read. However, we are going to do our best in this chapter to provide you with an understanding of what digital evidence is, what it can include, and how this ties into the role of digital forensics. XRY Version: 10.0 2 2 1 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.2 – What is Digital Data? Before we begin to discuss Digital Evidence, we need to first consider what digital data is made up of, how it is stored, and how it is interpreted. Binary Data Fundamentally, digital devices store their data onto hard drives, flash drives, discs, and other storage devices, as binary data. This means that rather than storing it as text or images as you and I see visually on the screen, it stores the data as 0's and 1's (zero's and one's), with each character being known as a bit. Together, eight of these characters make what is known as a byte, which may look something like 01001100. XRY Version: 10.0 3 3 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.3 – Digital Data in Mobile Devices Before we begin to discuss Digital Evidence, we need to first consider what digital data is made up of, how it is stored, and how it is interpreted. Huge storage capacity… Most modern, mid-range laptops now ship with 500GB (gigabytes) of storage. The latest smartphones are now offering 512GB+ of storage That data can come in the form of messages, apps, call logs, photos, videos, games, documents, emails, calendars, social media, personal health data, music, connected device information, web browsing... …or pretty much any activity carried out on that handset XRY Version: 10.0 4 4 2 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? There are a lot of different definitions for digital evidence in existence, but to truly recognize what it is, we should break it down into two component parts: "Digital" and "Evidence". See the following definitions as given by the Oxford English Dictionary: “Digital” “Evidence” "(of signals or data) expressed as series of the "The available body of facts or information digits 0 and 1, typically represented by values indicating whether a belief or proposition is of a physical quantity such as voltage or true or valid." magnetic polarization." XRY Version: 10.0 5 5 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? So "Digital Evidence" could possibly be defined as: An available body of facts or information, stored or retrieved from a digital storage medium, indicating whether a belief or proposition is true or valid, that is admissible as evidence within given proceedings. XRY Version: 10.0 6 6 3 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? What does this mean? Digital Evidence should be treated with just as much respect and attention as traditional evidence. It could include anything that comes from a form of digital storage. However, it has the added complication of being stored on a digital storage medium. Therefore, we need to consider a forensically sound method of retrieving and/or capturing that data. All while maintaining its integrity and reliability as admissible evidence. XRY Version: 10.0 7 7 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.5 – What is Digital Forensics? “Mobile Technology leaves traces, like digital foot-prints. These can reveal a hidden world – a fragmented world at times, but a world that points to the truth.” (Part of the MSAB Mission Statement) The term Digital Forensics is used to cover a huge range of forensic disciplines, which include (but are not limited to): Mobile Phone Forensics Computer Forensics Drone Forensics Network Forensics Memory Forensics Video Imagery Forensics Vehicle Forensics …but what exactly is it? …and the list goes on. XRY Version: 10.0 8 8 4 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.5 – What is Digital Forensics? Just like with Digital Evidence, we can break it down into two component parts: "Digital" and "Forensics". See the following definitions as given by the Oxford English Dictionary: “Digital” “Forensic” "(of signals or data) expressed as series of the "Relating to or denoting the application of digits 0 and 1, typically represented by values scientific methods and techniques to the of a physical quantity such as voltage or investigation of crime." magnetic polarization." XRY Version: 10.0 9 9 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.5 – What is Digital Forensics? So "Digital Forensics" could possibly be defined as: The application of scientific methods and techniques to digital data and digital media, in the investigation of crime. XRY Version: 10.0 10 10 5 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? What does this mean? We have taken our definition of Digital Evidence and combined it with the concept of applying forensics, and the scientific method, to the process of obtaining that evidence. The Scientific Method is interested in: A reasoned hypothesis. A documented and recorded methodology… …of how to investigate that hypothesis… …which is repeatable… …and is capable of being challenged and tested by others Conclusions can then be drawn from the findings, which are often presented in a forensic report and/or testimony. XRY Version: 10.0 11 11 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? What does this mean for digital forensic practitioners? The retrieval and analysis of digital data is a forensic discipline. It requires a degree of understanding and appreciation of the requirements and expectations surrounding forensic evidence. Digital data needs to be treated with the same (if not with more) respect and care as with traditional forensics, such as fingerprint and DNA analysis. XRY Version: 10.0 12 12 6 23/11/2022 Module 2 Devices & Digital Evidence 2.2 – Principles of Digital Evidence 2.2.1 – Chapter Introduction 2.2 – Principles of Digital Evidence In this brief chapter, we shall look at some of the globally recognized principles associated with handling and managing digital evidence. We shall then break them down in simple, generalized steps, that should help guide you through any areas of uncertainty during your investigations. XRY Version: 10.0 13 13 Module 2 Devices & Digital Evidence 2.2 – Principles of Digital Evidence 2.2.2 – Principles of Digital Evidence There are a number of recommendations and suggestions on how best to handle digital evidence, and regardless of where you are in the World, they are often similar in many respects ACPO Good Practice Guide for Digital Evidence Despite this guide being written in 2012, it has recently been reviewed and, while some updates have been implemented to account for changing technologies, the principles have remained unchanged. This document still forms part of the what is known as Approved Professional Practice (APP) as outlined by the College of Policing, and also features in international guidance and advice. XRY Version: 10.0 14 14 7 23/11/2022 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.1 – Chapter Introduction 2.3 – Handling Digital Evidence In this chapter, we shall take a brief look at how best to handle digital devices and evidence in order to try to best secure and maintain its integrity. XRY Version: 10.0 15 15 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.2 – Seizing and Securing Devices When seizing and securing digital devices, there can be a minefield of legal and procedural requirements that need to be navigated, in order to handle devices correctly. Ultimately, it is down to each individual organization to determine their own practices and guidelines. But before we do anything else… You can never take too many photographs, in digital forensics. If using the XRY Camera with XRY then you can capture images of the devices and their states. Alternatively, just have a good digital camera available to use. If in doubt, photograph it! XRY Version: 10.0 16 16 8 23/11/2022 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.2 – Seizing and Securing Devices What state is the device in…? One of the major challenges of mobile forensics is what to do when first seizing and securing the device. Is it switched ON? Is it switched OFF? How can you tell that it is genuinely OFF? Does it have battery power? Does it have a PIN or Passcode? Is it encrypted? Mobile device forensics can sometimes be far more challenging than computer forensics in many respects, as you often have to break the first principle of digital evidence with every extraction. XRY Version: 10.0 17 17 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.2 – Seizing and Securing Devices Other factors that need to be considered… Smudge Preservation Write-blockers Network Isolation Traditional “Biological” Forensics XRY Version: 10.0 18 18 9 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.1 – Chapter Introduction 2.4 – Digital Devices In this brief chapter we shall take a look at where evidence can be found, different digital devices you might encounter, what devices XRY supports, and some guidance on how best to separate out some of them into their component parts, in preparation for extraction. XRY Version: 10.0 19 19 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.2 – Where can Evidence be Located? So where can evidence be located? When you seize a mobile device from a suspect or receive an exhibit bag on your desk with a phone inside it, where should you consider looking for different types of digital evidence? Three main sources of data… XRY Version: 10.0 20 20 10 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.2 – Where can Evidence be Located? Retrieving Maximum Data You may find a number of these devices together in one exhibit. Maximize chances of retrieving as much data as possible: examine every area independently (Do so in line with your Force/Organization's policies). …but where else could data be stored? XRY Version: 10.0 21 21 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.2 – Where can Evidence be Located? The answer is cloud storage! XRY Version: 10.0 22 22 11 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.3 – Device Types Supported by XRY XRY supports a huge range of devices and is not just limited to mobile phones and SIM cards… XRY Version: 10.0 23 23 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.4 – Levels of Device Support "In MSAB Headquarters in Stockholm, Verified we have an original copy of every single device we support so that it is on hand in case we need to carry out further research or tests." Community Verified XRY has three different levels of support for devices, and considerations that the examiners should have for each one. Untested XRY Version: 10.0 24 24 12 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.4 – Levels of Device Support Alternative Profiles Trial and Error... Sometimes a device profile does not exist in XRY, which may be for many reasons. It could be that the device is simply too new It has simply not been on the radar for investigators before. When this happens, it doesn't mean the phone isn't necessarily supported, but you might want to try an alternative profile instead, for a similar device. IMPORTANT NOTE: When using alternative profiles we strongly advise that you only ever use LOGICAL extractions to avoid risking damage to the device or its data. The ONLY exception to this is "Generic" profiles, where it is safe to attempt to carry out a physical extraction for the appropriate profile (i.e. Android Generic on an Android device). XRY Version: 10.0 25 25 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.5 – Requesting Device Support As an MSAB customer, you can request either additional support for existing devices, or currently unsupported devices through the MSAB website (www.msab.com) or by contacting Support directly at [email protected]. XRY Version: 10.0 26 26 13 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.1 – Chapter Introduction 2.5 – Forensic Data Recovery In this chapter, we shall take a look at some of the types of data recovery methods we can perform within mobile forensics, and identify some common terminology used across the profession. XRY Version: 10.0 27 27 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods In mobile device forensics, there are several different methods for extracting data which involve different ways for XRY and the forensic workstation to communicate and interact with the device. The three common terms that are commonly used are: 1) Logical Extraction – Protocol 2) Logical Extraction – File System 3) Physical Extraction XRY Version: 10.0 28 28 14 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods Logical - Protocol Can I ask you something? Sure thing, what is it? XRY Version: 10.0 29 29 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods Logical – File System XRY Version: 10.0 30 30 15 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods Physical XRY Version: 10.0 31 31 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.3 – The Library Analogy The Library Analogy Logical – Protocol Like going into a library and asking the Librarian for the books on a specific subject. They have a look at what they have on their index card system. They go and personally retrieve for you the best fit(s) based on your request whilst you wait. Logical – File System Like picking up the index card system from the librarian’s desk yourself. Walking around the library identifying where each book in the index card system is located. Then pulling them out yourself. Physical Like taking every book off of every shelf and trying to match them up to the index card system later on. You will get some books that were left on shelves that didn't have index cards (deleted files). There may also be some books or loose pages from old books that the librarian didn’t even know were there, but we've recovered them (albeit, we may not immediately know what they are). XRY Version: 10.0 32 32 16 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.4 – Extraction Interfaces There are several different interfaces available to use for extractions. These are not all always available or possible but read the devices’ profile to find out what options you may have. XRY Version: 10.0 33 33 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.6 – What can be retrieved? XRY Version: 10.0 34 34 17 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.7 – Other Information from Service Providers Some of the information that they may be able to provide may include: Location information Calls made/received SMS/MMS logs (sent/received times etc) Voicemail ICCID/IMSI/IMEI links and cross-referencing Phone number (MSISDN) confirmation PUK codes Subscriber details Payment details XRY Version: 10.0 35 35 Module 2 Devices & Digital Evidence 2.6 – End of Module Knowledge Check 2.6 – Questions 1 to 5 End of Module Knowledge Check Questions 1 - 5 Follow the guidance from your Instructor to complete the knowledge check. XRY Version: 10.0 36 36 18
