Incident response for the mobile enterprise

Published: 2007-07-03
Last Updated: 2007-07-03 08:23:28 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

A lot of chatter has appeared on the security of Apple’s new iPhone. As with any new technology, it is to be expected that some security issues will be identified and fixed.
More importantly though, the phone’s release indicates we as security professionals should be prepared to investigate security incidents on mobile devices. This new generation of smartphones is much more likely to be purchased or requested by employees as a status symbol than is the average laptop. As such, it may be used to transport corporate data and could fall within the scope of a forensic investigation.
Unfortunately, mobile phone technology is technically harder to investigate:
  • There may not be a clear distinction between which memory space is used for data and which is used for processes. Loss of battery power generally leads to loss of evidence;
  • In most cases you can only acquire data ‘logically’, by requesting it through the phone software. In those rare cases where you can ‘physically’ dump memory as an image, this may still depend on phone functionality that can be ‘flashed’. As such, integrity of evidence could be a serious issue;
  • An attacker could still be able to connect to the device remotely if it is not kept in a shielded environment.
Organizations should therefore take a number of decisions regarding the use of cell phones: one example is whether they should provide employees with cell phones or support a number of acceptable ‘employee-owned phones’ over which they may have less control? Policies should also be developed to govern the use of mobile devices.
Incident response groups should commence the first step of the incident handling cycle: Prepare! This includes adding the necessary tools, skills/procedures and hardware to fully support investigations on mobile devices:
  • Tools can include free software such as Tulp2g, or one of the many commercial packages. The NIST offers a great tool review for mobile forensics;
  • Skills and procedures can be gathered through training or exercise. One great resource is the NIST site;
  • Hardware should include a SIM/USIM card reader (generally a regular smartcard reader which supports the smaller format), the necessary cables to connect your supported cell phones to the analysis workstation, as well as an RF shielding bag to prevent evidence compromise.

Some other issues may require review with your legal team. Some of the data stored on a SIM/USIM card, for example, some data may allow an investigator to assess broadly the past physical location of a cell phone user. This could be a very significant privacy issue.

Maarten Van Horenbeeck

0 comment(s)


Diary Archives