Project 4 Mobile Forensics

I. Mobile Forensics Lab

  1. Assignment Rules:
  2. Assignment Objectives:
  3. Competencies: Mobile Forensics
  4. Lab Overview: As you perform this lab, you will reinforce the concepts learned in the steps of your ELM classroom. The purpose of this lab is to have hands-on experience analyzing a mobile phone image. During this lab you will use MPE+ to view and analyze a mobile phone image that has been provided with this project.

    You will use the UMUC Virtual lab environment to access the vulnerability assessment tools you need for this lab (i.e. MPE+). These tools are already installed in the UMUC Virtual Lab VM WINFOR01.

  5. Important Lab Information:
    1. Appendix A contains all the detailed Lab Instructions. After reading all the information in this section, use Appendix A to perform the lab exercises.
    2. Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open source links that help you understand the tools you will use in this lab.
    3. Connect to the lab environment following the connect instructions provided in your classroom (let your instructor know if you cannot locate the connect instructions). Contact lab support if you need general technical support related to your virtual lab environment and associated lab exercises. After you have successfully connected to the lab environment, proceed to next step in order to run the tools associated with this project.
    4. Run MPE+.
    5. Follow the instructions provided in the MPE+ section I of Appendix A . Review the open source links for MPE+ available in the Lab Resources in order to understand this tool and interpret its results.

    6. Compile your findings and incorporate it in your deliverables for this project.

II. Lab Resources

Lab Credentials:

User: StudentFirst
Pass: Cyb3rl@b

Application websites

Application documentation

Application videos online

APPENDIX A (Lab Instructions)

Return to Important Lab Information

  1. Mobile Phone Examiner Plus (MPE+), SQLite Data and Wigle.net,

    What is MPE+? MPE+ is a stand-alone mobile device investigation solution that includes enhanced smart device acquisition and analysis capabilities.

    What is SQLite? SQLite is popular database manages data for applications on Android, iOS and many other operating systems such as Linux. SQLite database files (.db) are frequently found on mobile devices images.

    What is Wigle.net? wigle.net is a free web site that provides a database of known WiFi hotspots, there names (SSID), geo locations, MAC addresses, and more.

    For this lab, use the MPE+ software tool installed in the WINFOR01 Windows VM. Familiarize yourself with the open source links provided in the Lab Resources in order to learn more about these tools. Wigle.net is accessed via an Internet browser on your local computer.

    Overview: For this lab, you will become familiar with MPE+, SQLite database files, and WiFi personal access list data analysis. You will analyze a mobile phone image (provided to you) as well some specific files found within the mobile phone image. You will load the mobile phone image file in to MPE+ from the desktop of WINFOR01 → Lab Resources → Project 4 → Module 1

  2. → Module 1. Double Click Mobile Phone Examiner Plus 5.6.0 to start the MPE+ software

MPE+ iPhone Image Analysis

  1. Start the Access Data MPE+ software found on your lab machine and then open the iPhone image file.
  2. Open the iPhone image file and explore the information found within the iPhone image.
  3. Click on the Data Views menu and then answer the following questions for both the iPhone image:
  4. Click the Data Views menu then the Files menu. Navigate the file system to iphone3g/private/var/mobile/Media/DCIM/Exif
  5. Highlight the thumbnail image for 0036CE7.jpg, right click on the 0036cE7.jpg file, and then select Export to export the file from the iPhone image. Save the file to your default location.
  6. From the Data Views menu click the Call History menu item.
  7. Select the Data Views menu and then the Browser History menu item. Sort the information by the No. of Visits column by double clicking the column header. Which web site URL was visited the most number of times?

MPE + Android Image and SQLite

  1. Open the Android image file and explore the information found within the Android image.
  2. Click the Data Views menu and then click the Files menu item.
  3. Navigate the file system to root/data/com.android.providers.contacts/contacts.db.
  4. Right click the contacts.db SQLite database file and select “SQLite Explorer” from the popup menu to view the database structure and data.

    Within the contacts.db, review the data in the calls table. How many call rows are there?

  5. Review the people table data. How many people rows are there? How does this data relate to the Contacts information founder under the Data View menu Contacts menu item?
  6. Click the Data Views menu and then click the Call History menu item. Note the same two calls are displayed that were displayed in the calls table of the contact.db database.
  7. Right click on the contacts.db and select “Export” from pop-up menu to export the contacts.db database file to the file system.
  8. Select the Data Views menu and then the Browser History menu item. Sort the information by the No. of Visits column by double clicking the column header. Which web site URL was visited the most number of times?

Android Image - WiFi Personal Network List Analysis

  1. Select the Data Views menu and then the Files menu item. Locate the file root/data/misc/wifi/wpa_supplicant.conf. View the contents of this file.
  2. What is the overall purpose of the wpa_supplicant.conf file on an Android device? Research this using the resources found in the Lab Resources section of this document.
  3. What is the purpose of the ssid, key_mgmt, and psk attributes found in the wpa_supplicant.conf file? Provide a brief definition for each attribute. Research this using the resources found in the Lab Resources section of this document.
  4. The wpa_supplicant.conf file data can be used by an investigator to determine geo locations the subject has visited. https://www.wigle.net can be used to lookup the geo location of known WiFi access points by SSID name.
  5. Using the wigle.net query results and map, identify the MAC address, latitude, and longitude values for each SSID found in wpa_supplicant.conf.
  6. www.wigle.net
    View / Search Page
    Search Results of SSID value
    Map Selection

Step by Step Instructions:

  1. On the desktop of the VM WINFOR01 → Lab Resource → Applications
    → locate and launch Mobile Phone Examination Plus 5.6.0 (MPE+)
  2. Load the image files provided to you (as explained in the Overview).
  3. Analyze the image files by using MPE+ to browse the information in the image file, SQLite Browser, and www.wigle.net.
  4. Answer all questions found in the Overview.
  5. Make note of your findings in the Laboratory Report.