1152 error extracting samsung pc studio

1152 error extracting samsung pc studio

I have to install PC studio in my PC but when i tried it shown that my PC does able to install samsung NPS software. its showing 1152:Error extracting. https://displaysolutions.samsung.com/digital-signage/detail/1269/QM43N If an error occurs when you connect a computer, a message will. -This approach aims to extract the information present in an image using deep we are facing a problem regarding remotely access the institution PC for.

Thematic video

Samsung Xpress Actuator Motor Failure - LFC#259

1152 error extracting samsung pc studio - phrase and

Hi michaellockey,

 

Thank you for posting in the Microsoft Community.

Apart from the issue, how are you doing today?

Nowadays, mobile phones can be connected to the computer to share photos, network, videos etc. In your case, you seem to have an issue with installing Samsung Kies on the computer. I understand that it must be frustrating. But, we will proceed together as a team and try to resolve the issue for you.

 

Please answer the questions-

1)      What is the complete error message?

2)      Do you have an issue with installing other programs on the computer?

3)      Have you made any other changes on the computer prior to the issue?

I would like more information regarding the issue.

 

Method 1-

I would have you clear the “Temp” files on the computer.

Refer the steps-

a)      Click on “Start” and select “Run”.

b)      Now, type the command “%temp%” (without the quotes) and hit “Enter”.

c)      Delete all the files in the “Temp” folder.

 

Method 2-

I would have you run the fixit-

Fix problems with programs that can't be installed or uninstalled

http://support.microsoft.com/mats/Program_Install_and_Uninstall/

 

Method 3-

I would have you refer the article-

How to troubleshoot problems when you install or uninstall programs on a Windows-based computer

http://support.microsoft.com/kb/2438651/en-us#reso3

Note: Make sure you get the computer back to Normal Startup after performing all the troubleshooting steps.

Do let us know if you need further assistance. We will be happy to help. We, at Microsoft strive towards excellence.

Thanks.

2 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I.                  introduction

A.                mobile devices, applicationS, and user data

There has been significant growth in personal smartphone devices. In June 2013, the Google Android smartphone held 51.8% of the market, the highest share in the U.S. Table 1 [1]. Apple iOS maintained the second largest share at 40.6%, followed by BlackBerry at 3.4% and Microsoft at 3.1% [1]. Symbian still holds a 0.2% market share but has been discontinued by Nokia. The last Symbian smartphone was shipped in mid-2012, according to the company’s 2012 Interim Report [2].

Top Smartphone Platforms
3 Month Avg. Ending Dec. 2013 vs. 3 Month Avg. Ending Sep. 2013
Total U.S. Smartphone Subscribers Age 13+
Source: comScore MobiLens

 

Share (%) of Smartphone Subscribers

Sep-13

Dec-13

Point Change

Android

51.8%

51.5%

-0.3

Apple

40.6%

41.8%

1.2

BlackBerry

3.8%

3.4%

-0.4

Microsoft

3.3%

3.1%

-0.2

Symbian

0.3%

0.2%

-0.1

Total Smartphone Subscribers

100.0%

100.0%

 

                                                                                                                Table 1.           Top Smartphone Platforms (from [1]).

Mobile phones use flash-memory [3] to store the base mobile operating system (OS), applications (apps), and user data. First-party applications are software created by the operating-system provider. For example, the Android smartphone includes a phonebook, a calendar and text-messaging applications created by Google’s own software-development team. Third-party applications are created by developers other than the provider of the mobile operating system.

The internal flash memory of a mobile device contains several types of user-generated information such as phone numbers, addresses, Short Message Service (SMS) text messages, and cell data. These data can be extracted with the use of digital forensics tools and used to profile a user’s activity. Digital forensics is a branch of forensic science that investigates digital information stored in various electronic media. It can help investigate cybercrime, computer-based terrorism, and computer hacking involving digital environments.

All smartphones provide a way to erase (reset) personal information from flash memory. The main focus of this thesis will be to evaluate the effectiveness of “factory data reset” feature on smartphones. A detailed and comprehensive survey can benefit not only the forensic community, but also anyone who uses a smartphone. The end result will help illustrate the limits of privacy protection offered by factory-reset features. It can also contribute to improved smartphone security and privacy policies if venders use this research to improve their products.

B.                 research questions

This thesis attempts to answer one primary question:

·                     How much user-generated data is left on a smartphone after using the mobile phone’s factory reset/wipe function?

Two secondary questions also need to be addressed:

·                     How much private/personal information can be extracted after the wipe?

·                     Can recovered data be used to identify or profile a user?

C.                thesis structure

The remainder of the thesis is organized as follows. Chapter II will discuss prior work in mobile forensics and similar research work done under this topic. Chapter III will cover the process of forensics research all hardware, software and computer environments used in these experiments. Chapter IV will cover experiments with some sample memory images. Chapter V will end with conclusions and propose future research work.

A.                growth of smartphones and mobile computering

Mobile phones have become a significant consumer product in recent years. A telephone survey by Google Inc. of 2,000 adults in five countries [4] found that consumers own mobile phones more than any other mobile devices As Table 3 depicts, the survey found that Japan has highest adoption rate of mobile phones (96%), followed by the United Kingdom (87%).

 

United States

United Kingdom

France

Germany

Japan

Feature phone/Smartphone

78%

87%

74%

76%

96%

Media player with web access

24%

17%

23%

12%

30%

Tablet PC  Slate/Pad

9%

4%

3%

3%

5%

Handheld gaming device

15%

17%

14%

7%

42%

eReader

9%

3%

1%

1%

2%

                                                                 Table 2.           Mobile Internet & Smartphone Adoption: October 2011 (from [4]).

A smartphone contains much of the functionality of a desktop PC, but it also includes radio communications capabilities that desktop PCs typically lack. Communication functionalities include GSM/CDMA radio, Near Field Communications, GPS, Wi-Fi and Bluetooth communication. The high mobility of these devices can be the most important factor in the shift from desktop/laptop computer to smartphones. Unlike laptops or desktop computers, a smartphone can easily fit in a pocket. It is a computer that is easy to use and small enough to be used almost anywhere. A user can browse the Internet, check email, use GPS navigation, and make online payments from personal bank accounts. Hence, a device this capable is also likely to contain personal user data.

There are various ways a user can protect his or her personal information on smartphones. Android and iOS phones can be set up require a login password. Some phones include a data encryption method to protect sensitive data. Also, third-party developers’ market mobile protection/encryption software [5] can be installed on both Android and iOS phones. The iPhone has hardware encryption enabled by default for all data stored in memory. There is also a Data Protection API provided by Apple that can be used to implement application-level encryption.

In addition, common smartphones on the market today include some kind of “factory reset” feature. A factory reset is similar to formatting a hard disk drive on a computer system, but the details differ. Formatting deletes all pre-existing partitions and data on the hard drive and creates a new file system. The factory reset is intended to remove everything except pre-installed software, deleting user data in particular.

The following is a list of data that should be erased by the factory reset [6], [7].

·                     User account information (including email address)

·                     User settings for the operating system and applications

·                     Downloaded third-party applications

·                     Downloaded music (.mp3s, .flac, and .aac)

·                     Downloaded images and photos taken by the camera (.jpg, .png)

·                     Other user data (address book/phone book/calendar data)

The data that should be left behind after a factory reset is:

·                     The operating system installed with the smartphone

·                     First-party software (the operating system and associated software of the main vendor) and software (by other vendors authorized by the main vendor) bundled with the operating system

·                     SD card files, as contrasted with files on the main flash memory on the phone

B.                 prior work

Very little academic research has been conducted regarding the correctness of the factory reset feature on smartphones. However, there have been numerous articles on technology websites discussing potential risks [8], [9], [10].  The following are examples of the kinds of data left behind after a factor reset, from the GottaBeMobile: Mobile News & Reviews website:

·                     Porn

·                     Court records

·                     Social Security Numbers

·                     Resumes

·                     College applications

·                     Cookies

·                     Child support documents

·                     Employee records

·                     Bank statements

·                     Credit card statements

·                     Tax returns

·                     Emails

·                     Contact lists

·                     Photos

The authors tested secondhand phones purchased through Craigslist, which they then reset using the factory feature. The article concluded that the factory-reset feature did not work as expected.

Another publication studied the effectiveness of the factory reset for network data structures left on an Android device [11]. The primary question was “Do sufficient residual artifacts exist on mobile devices to extract enough data to identify the device’s previous network access points?” The research used controlled data transfers between Android smartphones and multiple network access points (cellular, wireless, and Bluetooth). Residual data left on test devices included “userdata” partitions containing Service Set Identifiers (SSID), wireless-router Subscriber Identity Modules (SIM), DHCP ACKs from wireless routers, and base-station metadata that included the Mobile Network Code (MNC), Mobile Country Code (MCC), Local Area Code (LAC) and Cell Identification (CID), wireless router Media Access control (MAC) addresses, and Bluetooth MAC address of devices paired with the phone. It concluded that the factory-reset feature was not sufficient in deleting user-generated network data.

This thesis expands the research scope by analyzing all user-generated content. It analyzes all types of residual artifacts left behind after a factory reset.  

THIS PAGE INTENTIONALLY LEFT BLANK

A.                computer forensics

Computer forensic investigations follow a similar process to other forensic investigations [12]. The process involves acquisition, analysis and reporting of potential evidence involving criminal activity.  The evidence can be collected from any type of storage media. Examples of storage media are:

·                     A hard disk drive from computer system

·                     A CD/DVD/Blu-ray optical disk

·                     A MO magnetic disk

·                     A CF/SM/MMC memory card

·                     A mobile SIM card

·                     A USB flash memory

Forensic tools can be used to acquire data from storage media by physical or logical acquisition. Physical acquisition is a bit-by-bit copy of an entire physical store of data. Logical acquisition is a bit-by-bit copy of the logical storage object such as directories and files.

The National Institute of Standards and Technology provides guidelines for forensic data acquisition and specifications for forensic tools [13]. NIST’s Computer Forensics Tool Testing (CFTT) program establishes the methodology for testing computer forensic software. CFTT is part of the Software Diagnostics and Conformance Testing Division which is supported by The Office of Law Enforcement Standards. The project provides a means to help understand the capability, limitations, and validity of computer forensics tools. The tools to be tested are broken up into several categories: disk imaging, forensic media preparation; write-blocking software, write-blocking hardware, and mobile devices.

Disk imaging is the process of making a secure forensically sound copy of digital media that can retain the data for an extended period. “Disk Imaging takes sector-by-sector copy usually for forensic purposes and as such it will contain some mechanism to prove that the copy is exact and has not been altered.” [14].

Forensic media preparation is the practice of wiping the target media before storing forensics data onto the forensics examiner’s computer. A hard disk drive is usually used as a target media to store collected data. A wiping process prevents collected data on the target media from being “contaminated” by previously collected evidential data. A wipe should completely delete the existing data by overwriting all writable parts of the media. The Unix “dd” command is a common utility used to wipe storage media [15], and it can also be used to wipe data from internal flash memory in mobile phones.   Write blockers are write-protection utilities used in the acquisition of digital forensic data. These utilities enable examiners to create images of media devices without the risk of accidentally writing to the subject media and thereby altering the contents [16].

Several forensic techniques have been developed to help investigations such as string search, memory forensics, file extraction, feature extraction, and cross-drive analysis [17], [18], [19], [20]. These techniques increase the utility of captured data in forensics analysis. Memory forensics analyzes information stored on volatile memory, internal memory inside a computer or mobile device that requires power to maintain. The data stored in the memory changes frequently while the computer or mobile device is operational, which makes it hard to verify the data collected from memory. This can lead to problems if the examiner wants to run the acquisition process more than once [21]. 

String searching is a process of locating specific ASCII or Unicode strings from text files and directories. These strings can be names, phone numbers, email addresses, country codes, IP addresses, or software installed on a system. The examiner can look for any type of key terms or single words, but it can also help spot patterns in a system. Regular expressions can be used to describe patterns in a string. An example regular expression is “/^[a-z0-9_-]/ “ which will look for any string that begins (^) with a lower case letter (a-z) followed by any number (0-9) then an underscore and a hyphen.

 

B.                 mobile forensics

Mobile forensics has its own set of acquisition tools [22], [23], [24]. Imaging, forensic extraction, memory forensics, and string searching can all be applied to mobile forensics investigations. However, there are some differences. Hard disk drives can easily be removed from a computer system for data acquisition and analysis, and during this process the hard disk drives can be protected using a write blocker utility. A mobile device cannot be processed the same way because the internal flash memory is usually soldered onto the circuit board, and removing the flash memory may damage it. Most mobile forensics tools do not require for the flash memory to be removed, but connect the phone directly into a forensics hardware tool, or plug the phone into a computer system running the forensics software [25]. The mobile phone architecture is also different from a standard desktop computer. The mobile hardware supports various radio communications like GSM/CDMA, GPS, Wi-Fi, NFC and Bluetooth. This radio communication capability will generate additional user data on the smartphone. The GSM/CDMA and GPS radios store geolocation data. Wi-Fi, NFC and Bluetooth may store user account login information and passwords. User data are locally stored on the smartphone’s flash memory. 

C.                mobile forensic tool cellebrite ufed

A commercial forensics tool from Cellebrite was used for the data extraction process in our experiments. The Cellebrite UME-36 Pro is a standalone phone-memory transfer and backup solution that is capable of extracting data from a wide variety of mobile devices [26]. There are three key components for this forensics tool:

·                     Cellebrite UME-36 Pro  – Universal Memory Exchanger 1.2.2.3

·                     Cellebrite UFED Physical Analyzer 3.7.2.0

·                     Cellebrite Phone Detective 1.2

The UME-36 Pro enables logical, password, SIM, file-system, and physical extractions of data from mobile devices. It is a hardware solution for data extraction. The extracted data can be viewed and analyzed with the UFED Physical Analyzer software. UME-36 Pro claims to extract the following data from a smartphone [27]:

·                     Call logs

·                     Contacts

·                     Email

·                     Pattern locks

·                     Bookmarks

·                     Cookies

·                     Text strings from Short Message Service (SMS) / Multimedia Messaging Service (MMS)

·                     Chat messages

·                     Location data including cell tower locations and usage

·                     Web browser history including records of visited websites

·                     Digital photography, digital videos, and audio files

·                     Text files

·                     Deleted data

·                     Wi-Fi including connection times, base service set identifications (BSSId), service set identifiers (SSID), and Security Modes

·                     GPS information added to media files (geotags)

The UFED Physical Analyzer is software for physical extraction. This extraction creates a single binary extraction file for each embedded flash memory chip, or at least by the address range used by the mobile device.  Unlike logical extraction, physical extraction can bypass the device’s operating system and extract data directly from the mobile device’s internal flash memory. The UFED-extracted data from the device is saved into a hexadecimal file that is later read and decoded using the UFED Physical Analyzer application. The images created from the physical extraction process include files deleted by the operating system or user. The images are saved with an .ufd extension. It provides an overview of the mobile-device data with decoding, analysis, and report generation [28].

The Cellebrite Phone Detective application helps investigators identify a mobile phone by its physical attributes, eliminating the need to start the device and risk device lock or possible data loss. It asks eight key questions regarding the phones’ physical appearance. It provides the user with a detailed extraction capability per device, connectivity details and device characteristics [29]. The eight visual elements used to identify device are:

·                     Phone type (candy bar, clamshell, slider, tablet)

·                     Body (connection port, cable, charging socket)

·                     Power button (power, volume, camera, keypad)

·                     Miscellaneous (battery cover type, memory card slot)

·                     Basic (Brand logo: Apple, HTC, Acer, LG / network technology: GSM, CDMA)

·                     Camera (type, location, flash)

·                     Display type (touch, non-touch, stylus)

D.                mobile forensic tool Bulk extractor

The forensics software Bulk Extractor (bulk_extractor-1.4.1-windowsinstaller.exe) [30] was also used for analysis of recovered files. Bulk Extractor is a carving and feature extraction tool that can be used on all kinds of digital media. It can scan disk images (raw, split-raw, EnCase E01, AFF), files and directories to extract useful information without parsing the file system or file system structures. The program can extract phone numbers, email addresses, credit card numbers and URLs from inspection of file contents of any file or file fragments. It can also collect data from compressed files with ZIP and gzip algorithms. The extractor is run on a file system and creates a report directory with feature files. Each feature file contains the location the feature found, the feature itself, and the feature surrounded by its local context (e.g., email.txt, url.txt). The tool is generally used for file identification and cross-drive analysis [31].

E.                 other mobile forensics tools tested

Several other forensics tools were tested for this research project before we selected Cellebrite. Some that offer similar features to the Cellebrite UFED tools were as follows.

viaExtract: This is a mobile forensics tool developed and distributed by viaForensics [32]. It is designed for extracting and analyzing data from Android smartphones. It is distributed as a standalone virtual appliance that runs on a VMware workstation. The pre-installed extraction tools could not properly analyze several Android phones. It would often return an error during the extraction process on our test phones.

Key features:

·                     Temporarily or permanently remove a password/pattern/PIN lock on an Android device running OS 2.2 or higher.

·                     Allow the examiner to forensically image external (SD) and internal (EMMC) storage cards directly from the device.

·                     Allow examiners an additional bypass option on gesture key locked devices.

Oxygen Forensic Suite 2013: This forensics suite is developed and distributed by Oxygen Software [33]. The company specializes in forensic data examination tools for smartphones and mobile devices. The program performed fairly well and could recovery a large number of files (images, video, system files, logs).

Key features:

·                     Displays complete technical information about the mobile device.

·                     Extracts user contact information with all its data: name, occupation, phone numbers, addresses, emails, notes.

·                     Extracts event log data, phonebook, messages (SMS, MMS, Emails, iMessages).

·                     File browser analyzes user phones, videos, documents and device databases.

Recuva: This is a free program developed and distributed by Priform [34]. It is a disk recovery tool that is capable of extracting files deleted or damaged on media devices. The program can recover a large number of files from the internal flash memory of a smartphone. However, the program does not provide an analysis tool for the recovered data. This makes the file analysis very difficult. Several files could not be opened or viewed with the program.

Key features:

·                     Undelete files.

·                     Recover damaged or formatted disks.

·                     Recover deleted emails.

·                     Recover deleted iPod music.

·                     Restore unsaved documents.

·                     Perform deep scan.


 

THIS PAGE INTENTIONALLY LEFT BLANK

A.                controlled experiment with two smartphones

Two smartphones were used for a controlled experiment: an Apple iPhone 4S and a Samsung Galaxy SIII. The following protocol was used to artificially generate data under a controlled environment.

·                     Log into the Android phone with the account [email protected], and the iPhone with the account [email protected]

·                     Connect to NPS wireless network (NGSTV224) and visit 4 websites using default browser

1.                  Nps.edu

2.                  Fark.com

3.                  Yahoo.com

4.                  Npr.org

·                     Take six pictures with built in camera: 6 pictures of the numbers 1, 2, 3, 4, 5, 6. First 3 image files are left unaltered. Second 3 image files manually renamed:

o        testschwamm_pic_4

o        testschwamm_pic_5

o        testschwamm_pic_6

·                     Access files and links from the following website:

http://faculty.nps.edu/ncrowe/testschwamm0114__doc_sample.docx

http://faculty.nps.edu/ncrowe/testschwamm0114__pdf_sample.pdf

http://faculty.nps.edu/ncrowe/testschwamm0114__ppt_sample.pptx

http://faculty.nps.edu/ncrowe/testschwamm0114__wav_sample.wav

 

http://faculty.nps.edu/ncrowe/testschwamm_0114_link.html

http://faculty.nps.edu/ncrowe/testschwamm_0114_pics.html

http://faculty.nps.edu/ncrowe/testschwamm_0114_video.html

http://faculty.nps.edu/ncrowe/testschwamm0114_feat.html

 

·                     Install the following list of software for Android phones:

“Reddit is fun”
https://play.google.com/store/apps/details?id=com.andrewshu.android.reddit&hl=en

Visit 3 postings on www.reddit.com

o   “ELI5: The Amanda Knox Appeal” http://www.reddit.com/r/explainlikeimfive/comments/1wlin9/eli5_the_amanda_knox_appeal/

o   “Why are the wheels of NASA’s Mars rover, Curiosity, wearing out?”

http://www.reddit.com/r/askscience/comments/1wnb8s/why_are_the_wheels_of_nasas_mars_rover_curiosity/

o   “Hey, I am Nikki Sixx from Motley Crue, AMA”

http://www.reddit.com/r/IAmA/comments/1wnsxv/hey_i_am_nikki_sixx_from_m%C3%B6tley_cr%C3%BCe_ama/

 

“Facebook”

https://play.google.com/store/apps/details?id=com.facebook.katana&hl=en

Login and browse.

 

“Google Drive”

https://play.google.com/store/apps/details?id=com.google.android.apps.docs&hl=en

Login/sync and open 3 files

o   testschwamm_ppt1.pptx

o   testschwamm_ppt2.pptx

o   testschwamm_ppt3.pptx

 

“DropBox”

https://play.google.com/store/apps/details?id=com.dropbox.android&hl=en

Login/sync and open 3 files

o   testschwamm_doc1.docx

o   testschwamm_doc2.docx

o   testschwamm_doc3.docx

 

“Youtube”

https://play.google.com/store/apps/details?id=com.google.android.youtube&hl=en

Login and watch 3 videos

o   ‘PSY-GANGNAM STYLE’ http://www.youtube.com/watch?v=9bZkp7q19f0

o   ‘GIFs, now with sound!’ http://www.youtube.com/watch?v=CgVpR4KdLRA

o   ‘BEST DUBSTEP CAT!’ http://www.youtube.com/watch?v=i4SSoWEw5CI


 

“Audible”

https://play.google.com/store/apps/details?id=com.audible.application&hl=en

Login and download/listen to 3 excerpts

o   Bossypants (Excerpt)

o   The Hunger Games (Excerpt)

o   Matterhorn (Excerpt)

 

“Kindle”

https://play.google.com/store/apps/details?id=com.amazon.kindle&hl=en

Login and open 3 PDF files

o   testschwamm_article1.pdf

o   testschwamm_article2.pdf

o   testschwamm_article3.pdf

·                     Upload a text document ‘testschwamm_password.txt’ to root directory of each phone.

·                     Upload zip file containing above text named ‘testschwamm_userdata.zip’ to root directory of each phone

·                     Use the following list of pre-installed software on iPhone:

 

“Youtube”

Login and watch 3 videos

o   ‘PSY-GANGNAM STYLE’ http://www.youtube.com/watch?v=9bZkp7q19f0

o   ‘GIFs, now with sound!’ http://www.youtube.com/watch?v=CgVpR4KdLRA

o   ‘BEST DUBSTEP CAT!’ http://www.youtube.com/watch?v=i4SSoWEw5CI

 

                        “Notes”

Create 3 note entries

o   DVD Movie List

o   Shopping List

o   Test date and homework due date

 

                        “Remind Me”

            Create 3 reminders different dates

o   ‘Reminder 1’ ‘02/01/2014 5:00PM’

o   ‘Reminder 2’ ‘03/03/20145 7:00AM’

o   ‘Reminder 3’ ‘04/05/2014 11:00AM’

The phones were not password protected by the user and no data intentionally encoded or encrypted by the phone. Following use, a factory reset was performed through the phone’s setup menu under “Privacy” or “Backup & Reset”. The reset menu lists all data that will be erased in the process (User account, system and application data and settings, downloaded applications, music, pictures and other user data). The user did not have any selectable options for the reset on any of the phones. The process takes a few minutes after which the phone restarts and resumes normal operation.

Following factory reset, the phones were images with the UME-36 Pro and UFED Physical Analyzer. All images were saved in the tools proprietary format (.ufd).

A total of 61,276 files were recovered from the pre-wipe for the iPhone and 43,165 from the post-wipe. 42,728 files matched path and contents from both pre-wipe and post-wipe. Partial matches were deleted which produced 17,914 pre-reset files and 115 post-reset files that did not match. 36,292 files had a zero size from the pre-wipe and 36,319 files had zero size from the post-wipe. Executable “.app” files found pre-wipe were 24,862, and 8,062 post-wipe. Files relating to the operating system were 29,812 pre-wipe and 27,621 post-wipe. 

Overall, the reset did a good job of removing third-party software. All the picture images and text documents were deleted by the reset with the exception of some cache and settings information (YouTube, Facebook).

The Bulk Extractor was used for string search. A number of preference and configuration files were recovered after the reset but none containing the keywords. “Preferences” can include private user information [35], but none were seen in the “.plist” preference files.  Table 3 lists some sample files remaining after the reset that could be interesting for forensic investigations. The indirect information can be collected and used to profile a user. A forensic investigator could determine where and how the device was used.


 

File

Description

System/InnsbruckTaos11B554a.N90OS/System/Library/PrivateFrameworks/Preferences.framework/SupplementalLocaleData.plist

Location and language settings

System/InnsbruckTaos11B554a.N90OS/usr/share/mecabra/ja /rerank.dat

Resource rankings?

Data/Data/Keychains/keychain-2.db

Keys

Data/Data/logs/lockdownd.log

Security event log

Data/Data/mobile/Applications/B8AD4B05-2518-4570-8447-7BE2BFDA8F9F/Library /Preferences/com.apple.mobilesafari.plist

Browser preferences

Data/Data/mobile/Library /BulletinBoard/SectionInfo.plist

Bulletin board index

Data/Data/mobile/Library /Caches/com.apple.springboard /Cache.db-wal

Screen cache for user "wal"

Data/Data/mobile/Library /Cookies/com.apple.itunesstored.2.sqlitedb

Cookies for iTunes

Data/Data/mobile/Library/Mail /Content Index

Mail keywords

Data/Data/mobile/Library/Maps /Bookmarks.plist

Map bookmarks

Data/Data/mobile/Library /Preferences/com.apple.identityservicesd.plist

Account information

Data/Data/mobile/Media /PhotoData/changes-shm

Incremental photo data

Data/Data/root/Library/Caches /locationd/consolidated.db

Location data

Data/Data/tmp/MediaCache /diskcacherepository.plist

Disk cache information

                                                                                                                    Table 3.           Sample files from post-wipe iPhone

A total of 5,141 files were recovered from the pre-wipe for the Android phone and 3,578 from the post-wipe. 3,292 files matched path and content from both pre-wipe and post-wipe. Partial matches were deleted which produced 968 pre-wipe and 65 post-wipe that did not match. 227 files had a zero size from the pre-wipe and 278 files had zero size form the post-wipe. Executable “.apk” files found pre-wipe were 396, and 277 post-wipe. Other executable files such as “.dex” files went from 140 pre-wipe to 121 post-wipe. “.so” files from 302 to 254. The reset did not delete any picture images taken with the camera. None of the created text files (.txt, .doc, .pdf, .ppt) was removed. Cache and deleted copies of these file and image components were also not erased. Third-party applications were deleted. However, following the wipe we could recover files from the Kindle and DropBox applications that belonged to the user. These files should have been deleted along with the application. The fact that files from deleted applications were found post-wipe implies that the wipe process explicitly deleted files, a topic that we will return to in Chapter V.

The Bulk Extractor was used again for additional string search. Website links were all deleted in the reset. However, the links for the four visited websites were found in various files pre-wipe. A total of 116 links were found pre-wipe. It is unclear why there were so many duplicate links saved on the phone. The wipe left most of the operation system files intact just like the iPhone reset. Table 4 lists some sample files remaining after the reset that could be interesting for forensic investigations.

File

Description

CACHE/Root/recovery /last_log

Recovery log

SYSTEM/Root /addon.d /blacklist

Four MD5 hash values

SYSTEM/Root/etc/apns-conf.xml

Phone carrier IP address

SYSTEM/Root/etc /audio_policy.conf

Attached audio devices listing

SYSTEM/Root/etc/gps.xml

GPS settings

USERDATA/Root/backup

/pending/journal2114683955.tmp

Data backup

USERDATA/Root/data/com.android.providers.calendar/databases/calendar.db

Calendar data

USERDATA/Root/data/com.android.deskclock/databases/alarms.db

Alarm data

USERDATA/Root/media/0 /amazonmp3/temp/log.txt

Log file of Amazon Cloud Player

USERDATA/Root/media/0/Android/data/com.andrew.apollo/cache/ImageCache/3910b1e0ccab19bc46fd9db27cca49c9.0

Image cache data

USERDATA/Root/media/0/iPhone3G.2013-11-07.16-39-30/Email/108/478/1256.sql

Database script of ours, unclear how it got here

USERDATA/Root/misc /wifi/softap.conf

Access point data

USERDATA/Root/system/users/userlist.xml

User ID information

USERDATA/Root/drm /fwdlock/kek.dat

Lock data

USERDATA/Root/media/0/And-roid/data/com.dropbox.android /files/scratch/09thesis_regan.pdf

Document of previous phone user

                                                                                                      Table 4.           Sample files from post-wipe Android phone

Some smartphones provide several variations for reset. A “hard reset” can be performed by using the hardware keys (by a procedure specific to each device). Newer iPhones provide the additional reset options “Reset All Settings,” “Reset Network Settings,” “Reset Keyboard and Dictionary,” “Reset Home Screen Layout,, and “Reset Location and Memory”.  All of these options were used and a new post-wipe image was generated. These options deleted an additional 222 files from the phone but did not delete any files listed in Table 3. The additional reset options did not produce any significant further deletions.

The hard reset on the Android phone gave an additional option for a “cache reset”. This option was used and a new post-wipe image was generated just like the iPhone. It did not delete any text and media files put on the device; it only deleted the sixth file of the files in Table 4. Four files with the “db” extension were deleted. The reset added an additional six files (two Bluetooth cache, four “telephony”), but did not do much beyond the regular reset.

B.                 Experiment and data Extraction

Two sets of smartphones were used for the main experiment. The first set of Apple iPhone images was created by the UME-36 Pro and UFED Physical Analyzer. These images were taken from the Real Data Corpus [36], a large-scale forensic corpus. All images were generated from legally obtained smartphones used by real people. The second set was of various smartphones (iPhone, Android, Blackberry) that had been used for other research projects at our school. These phones did not have a SIM card installed on them. SIM cards contain a unique identification number associated with the user’s mobile account and contain the phone number, security data and billing information; phone calls cannot be made without a SIM card, but otherwise the phone will function normally. A few of the phones came with a custom Android operating system (CyanogenMod 10.1), a custom aftermarket firmware based on the Android Open Source Project [37] [38]. The same protocol was used to generate data but no accounts were associated with the Blackberry phones. A Python script was written to convert the Cellebrite proprietary XML report format to the forensic metadata standard DFXML [39]. A taxonomy created [40] was used to classify files by extension and directory path. The full list of smartphones and the status is listed in Table 5.

 

#

Smartphone

OS Version

Readiness

I1

Apple iPhone 4

iOS 5.1.1

OK

I2

Apple iPhone 4

iOS 5.1.1

OK

I3

Apple iPhone 2

iOS 3.1.3

OK

I4

Apple iPhone 2

iOS 3.1.3

OK

I5

Apple iPhone 2

iOS 3.1.3

OK

I6

Apple iPhone 2

iOS 3.1.3

OK

I7

Apple iPhone 2

iOS 3.1.3

OK

I8

Apple iPhone 2

iOS 3.0

OK

I9

Samsung Galaxy SIII

CyanogenMod 10.1

Hard reset

A10

Samsung Nexus

CyanogenMod 10.1

OK

A11

Samsung Galaxy Anycall

Android 1.5

OK

A12

Motorola Atrix 4G

Android 2.2

OK

A13

HTC Droid Eris

Android 2.1

OK

A14

HTC Magic

Android 1.6

Hard reset

A15

HTC Flyer (tablet)

Android 3.2

OK

A16

HTC One

Android 4.1

OK

B17

BlackBerry 8900 Curve

BlackBerry OS 4

Unusable after reset

I18

Apple iPhone 4S

iOS 5.1.1

OK

I19

Apple iPhone 2G

iOS 3.13

Unusable without SIM card

B20

BlackBerry 8100 Pearl

BlackBerry OS 4.5.0.174

OK

B21

BlackBerry 8300 Curve

BlackBerry OS 4.5.0.162

OK

A22

Motorola FIRE

Android 2.3.4

Unrecognized by Cellebrite

A23

Huawei U8500

Android 2.1

OK

A24

Huawei  U8150 IDEOS Comet

Android 2.2

Unusable after reset

A25

Dell XCD35

Android 2.2

OK

I26

Apple iPhone 2

iOS 3.1.3

Unusable after reset

A27

Motorola Charm

Android 2.1

Totally dead

p28

LG-500GHL

Unknown

Unrecognized by Cellebrite

                                                                                           Table 5.           Full list of smartphone and status (from [41], [42]).

Table 6 list the total counts of pre-wipe and post-wipe files. A large number of files were not affected by the reset. There were four types of partial matches between pre-wipe and post-wipe files (File name and hash, Hash only, File path only, Path ignoring digits). Several unmatched files were found post-wipe which appear to be new records created by the operating systems activity and reset feature. The factory reset does not completely wipe a device. Several files are removed during the reset but others are just renamed and additional new files are added after the reset.


 

File count type

Pre-reset

Post-reset

Total files

349,915

200,987

iPhone files

299,058

176,907

Android files

50,846

24,058

Exact matches pre-wipe and post-wipe

140,320

140,320

Subsequent matches on filename and hash value but not all directories

34,228

36,540

Subsequent matches on hash value alone

9,269

12,911

Subsequent matches on full path alone

2,849

2,836

Subsequent matches on full path ignoring digits alone

6,448

256

Remaining unmatched

156,801

8,124

                                                                                                                   Table 6.           Summary data from 21 smartphones

The file taxonomy was used to further investigate what types of files are being removed in the reset. The full results are listed in Table 7. Each file path is classified by file extension (E) and directory name of the file (D). 8,346 extensions and 6,445 directory names have a classification. The rest are labeled as “miscellaneous”. Extensions that are longer than 10 characters are ignored.

The reset appears to focus on video and picture images, text documents, copies and temporary files, disk images, log files, XML documents and gaming applications. There is a smaller emphasis on database files, compressed data, audio, source code and data directories. The reset seem to target applications, picture images and temporary files, but not as focused on long-term user data. The reset does not remove explicitly deleted and zero-size files (which have no content but do have filename and dates). Zero-size files may not be useful for the applications, but could provide partial user information. An empty log file could indicate the user is not using a particular category or parameter in an application.  

A clear time pattern could not be created because the phones were used in various time periods. The Physical Analyzer software also created some issues while analyzing the recovered data. Different versions of the Physical Analyzer would produce different results from the same image. The file access and creation time would be reported differently depending on the Physical Analyzer version, and the root directory name would change between two different Physical Analyzer versions.

 

Type of file extension (E) or directory (D)

Pre-wipe

Post-wipe

E: No extension

36561

21078

E: Operating system

106168

104406

E: Graphics

98618

27522

E: Camera pictures

15443

3967

E: Temporaries

733

159

E: Web pages

1418

680

E: Documents

3089

1233

E: Database

5627

2377

E: Spreadsheets

425

356

E: Compressed

601

278

E: Audio

16427

8313

E: Video

303

90

E: Source code

1791

736

E: Executable

3432

2856

E: Disk image

13828

1932

E: Log

599

73

E: Copies and backup

7347

905

E: XML

5193

1045

E: Configuration

20788

18379

E: Games

3741

1048

E: Miscellaneous

7307

3536

D: Root

1012

966

D: Operating system

122625

117701

D: Hardware

1128

319

D: Temporaries

12141

2928

D: Pictures

17950

4328

D: Audio

10812

7814

D: Video

2570

0

D: Web

2714

277

D: Data

18300

9771

D: Programs

3616

2876

1152 error extracting samsung pc studio

Hi michaellockey,

 

Thank you for posting in the Microsoft Community.

Apart from the issue, how are you doing today?

Nowadays, mobile phones can be connected to the computer to share photos, network, videos etc. In your case, you seem to have an issue with installing Samsung Kies on the computer. I understand that it must be frustrating. But, we will proceed together as a team and try to resolve the issue for you.

 

Please answer the questions-

1)      What is the complete error message?

2)      Do you have an issue with installing other programs on the computer?

3)      Have you made any other changes on the computer prior to the issue?

I would like more information regarding the issue.

 

Method 1-

I would have you clear the “Temp” files on the computer.

Refer the steps-

a)      Click on “Start” and select built in hdd error Now, type the command “%temp%” (without the quotes) and hit “Enter”.

c)      Delete all the files in the “Temp” folder.

 

Method 2-

I would have you run the fixit-

Fix problems with programs that can't be installed or uninstalled

http://support.microsoft.com/mats/Program_Install_and_Uninstall/

 

Method 3-

I would have you refer the article-

How to troubleshoot problems when you install or uninstall programs on a Windows-based computer

http://support.microsoft.com/kb/2438651/en-us#reso3

Note: Make sure you get the computer back to Normal Startup after performing all the troubleshooting steps.

Do let us know if you need further assistance. We will be happy to help. We, at Microsoft strive towards excellence.

Thanks.

2 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I.                  introduction

A.                mobile devices, applicationS, and user data

There has been significant growth in personal smartphone devices. In June 2013, the Google Android smartphone held 51.8% of the market, the highest share in the U.S. Table 1 [1]. Apple iOS maintained the second largest share at 40.6%, followed by BlackBerry at 3.4% and Microsoft at 3.1% [1]. Symbian still holds a 0.2% market share but has been pascal error 57 by Nokia. The last Symbian smartphone was shipped in mid-2012, according to the company’s 2012 Interim Report [2].

Top Smartphone Platforms
3 Month Avg. Ending Dec, 1152 error extracting samsung pc studio. 2013 vs. 3 Month Avg. Ending Sep. 2013
Total U.S. Smartphone Subscribers Age 13+
Source: comScore MobiLens

 

Share (%) of Smartphone Subscribers

Sep-13

Dec-13

Point Change

Android

51.8%

51.5%

-0.3

Apple

40.6%

41.8%

1.2

BlackBerry

3.8%

3.4%

-0.4

Microsoft

3.3%

3.1%

-0.2

Symbian

0.3%

0.2%

-0.1

Total Smartphone Subscribers

100.0%

100.0%

 

                                                                                                                Table 1.           Top Smartphone Platforms (from [1]).

Mobile phones use flash-memory [3] to store the base mobile operating system (OS), applications (apps), and user data. First-party applications are software created by the operating-system provider. Fatal error code 2 example, the Android smartphone includes a phonebook, a calendar and text-messaging applications created by Google’s own software-development team. Third-party applications are created by developers other than the provider of the mobile operating system.

The internal flash memory of a mobile device contains several types of user-generated information such as phone numbers, addresses, Short Message Service (SMS) text messages, and cell data. These data can be extracted with the use of digital forensics tools and used to profile a user’s activity. Digital forensics is a branch of forensic science that investigates digital information stored in various electronic media. It can help investigate cybercrime, computer-based terrorism, and computer hacking involving digital environments.

All smartphones provide a way to erase (reset) personal information from flash memory. The main focus of this thesis will be to evaluate the effectiveness of “factory data reset” feature on smartphones. A detailed and comprehensive survey can benefit not only the forensic community, but also anyone who uses a smartphone, 1152 error extracting samsung pc studio. The end result will help illustrate the limits of privacy protection offered by factory-reset features. It can also contribute to improved smartphone security and privacy policies if venders use this research to improve their products.

B.                 research questions

This thesis attempts to answer one primary question:

·                     How much user-generated data is left on a smartphone after using the mobile phone’s factory reset/wipe function?

Two secondary questions also need to be addressed:

·                     How much private/personal information can be extracted after the wipe?

·                     Can recovered data be used to identify or profile a user?

C.                thesis structure

The remainder of the thesis is organized as follows. Chapter II will discuss prior work in mobile forensics and similar research work done under this topic, 1152 error extracting samsung pc studio. Chapter III will cover the process of forensics research all hardware, software and computer environments used in these experiments. Chapter IV will cover experiments with some sample memory images. Chapter V will end with conclusions and propose future research work.

A.                growth of smartphones and mobile computering

Mobile phones have become a significant consumer product in recent years. A telephone survey by Google Inc. of 2,000 adults in five countries [4] found that consumers own mobile phones more than any other mobile devices As Table 3 depicts, the survey found that Japan has highest adoption rate of mobile phones (96%), followed by the United Kingdom (87%).

 

United States

United Kingdom

France

Germany

Japan

Feature phone/Smartphone

78%

87%

74%

76%

96%

Media player with web access

24%

17%

23%

12%

30%

Tablet PC  Slate/Pad

9%

4%

3%

3%

5%

Handheld gaming device

15%

17%

14%

7%

42%

eReader

9%

3%

1%

1%

2%

                                                                 Table 2.           Mobile Internet & Smartphone Adoption: October 2011 (from [4]).

A smartphone contains much of the functionality of a desktop PC, but it also includes radio communications capabilities that desktop PCs typically lack. Communication functionalities include GSM/CDMA radio, Near Field Communications, GPS, Wi-Fi and Bluetooth communication, 1152 error extracting samsung pc studio. The high mobility of these devices can be the most important factor in the shift from desktop/laptop computer to smartphones. Unlike laptops or desktop computers, a smartphone can easily fit in a pocket. It is a 1152 error extracting samsung pc studio that is easy to use and small enough to be used almost anywhere. A user can browse the Internet, check email, use GPS navigation, and make online payments from personal bank accounts. Hence, a device 1152 error extracting samsung pc studio capable is also likely to contain personal user data.

There are various ways a user can protect his or her personal information on smartphones. Android and iOS phones freebsd error data/squid_db.sql needed be set up require a login password. Some phones include a data encryption method to protect sensitive data. Also, third-party developers’ market mobile protection/encryption software [5] can be installed on both Android and iOS phones. The iPhone has hardware encryption enabled by default for all data stored in memory. There is also a Data Protection API provided by Apple that can be used to implement application-level encryption.

In addition, common smartphones on the market today include some kind of “factory reset” feature. A factory reset is similar 1152 error extracting samsung pc studio formatting a hard disk drive on a computer system, but the details differ. Formatting deletes all pre-existing partitions and data on the hard drive and creates a new file system. The factory reset is intended to remove everything except pre-installed software, deleting user data in particular.

The following is a list of data that should be erased by the factory reset [6], [7].

·                     User account information (including email address)

·                     User settings for the operating system and applications

·                     Downloaded third-party applications

·                     Downloaded music (.mp3s. flac, and .aac)

·                     Downloaded images and photos taken by the camera (.jpg. png)

·                     Other user data (address book/phone book/calendar data)

The data that should be left behind after a factory reset is:

·                     The operating system installed with the smartphone

·                     First-party software (the operating system and associated software of the main vendor) and software (by other vendors authorized by the main vendor) bundled with the operating system

·                     SD card files, as contrasted with files on the main flash memory on the phone

B.                 prior work

Very little academic research has been conducted regarding the correctness of the factory reset feature on smartphones. However, there have been numerous articles on technology websites discussing potential risks [8], [9], [10], 1152 error extracting samsung pc studio.  The following are examples of the kinds of data left behind after a factor reset, from the GottaBeMobile: Mobile News & Reviews website:

·                     Porn

·                     Court records

·                     Social Security Numbers

·                     Resumes

·                     College applications

·                     Cookies

·                     Child support documents

·                     Employee records

·                     Bank statements

·                     Credit card statements

·                     Tax returns

·                     Emails

·                     Contact lists

·                     Photos

The authors tested secondhand phones purchased through Craigslist, 1152 error extracting samsung pc studio, which they then reset using the factory feature. The article concluded that the factory-reset feature did not work as expected.

Another publication studied the effectiveness of the factory reset for network data structures left on an Android device [11]. The primary question was “Do sufficient residual artifacts exist on mobile devices to extract enough data to identify the device’s previous network access points?” The research used controlled data transfers between Android smartphones and multiple network access points (cellular, wireless, and Bluetooth). Residual data left on test devices included “userdata” partitions containing Service Set Identifiers (SSID), wireless-router Subscriber Identity Modules (SIM), DHCP 1152 error extracting samsung pc studio from wireless routers, and base-station metadata that included the Mobile Network Code (MNC), Mobile Country Code (MCC), Local Area Code (LAC) and Cell Identification (CID), wireless router Media Access control (MAC) addresses, and Bluetooth MAC address of devices paired with the phone. It concluded that the factory-reset feature was not sufficient in deleting user-generated network data.

This thesis expands the research scope by analyzing all user-generated content. It analyzes all types of residual artifacts left raidcall flashctrl error enotlnstallflash after a factory reset.  

THIS PAGE INTENTIONALLY LEFT BLANK

A.                computer forensics

Computer forensic investigations follow a similar process to other forensic investigations [12]. The process involves acquisition, analysis and reporting of potential evidence involving criminal activity.  The evidence can be collected from any type of storage media. Examples of storage media are:

·                     A hard disk drive from computer system

·                     A CD/DVD/Blu-ray optical disk

·                     A MO magnetic disk

·                     A CF/SM/MMC memory card

·                     A mobile SIM card

·                     A USB flash memory

Forensic tools can be used to acquire data from storage media by physical or logical acquisition. Physical acquisition is a bit-by-bit copy of an entire physical store of data. Logical acquisition is a bit-by-bit copy of the logical storage object such as directories and files.

The National Institute of Standards and Technology provides guidelines for forensic data acquisition and specifications for forensic tools [13]. NIST’s Computer Forensics Tool Testing (CFTT) program establishes the methodology for testing computer forensic software. CFTT is part of the Software Diagnostics and Conformance Testing Division which is supported by The Office of Law Enforcement Standards. The project provides a means to help understand the capability, limitations, and validity of computer forensics tools. The tools to be tested are broken up into several categories: 1152 error extracting samsung pc studio imaging, forensic media preparation; write-blocking software, write-blocking hardware, and mobile devices.

Disk imaging is the process of making a secure forensically sound copy of digital media that can retain the data for an extended period. “Disk Imaging takes sector-by-sector copy usually for forensic purposes and as such it will contain some mechanism to prove that the copy is exact and has not been altered.” [14].

Forensic media preparation motorola v3 critical error dead the practice of wiping the target media before storing forensics data onto the forensics examiner’s computer. A hard disk drive is usually used as a target media to store collected data. A wiping process prevents collected data on the target media 1152 error extracting samsung pc studio being “contaminated” by previously collected evidential data. A wipe should completely delete the existing data by overwriting all writable parts of the media. The Unix “dd” command is a common utility used to wipe storage media [15], and it can also be used to wipe data from internal flash memory in mobile phones.   Write blockers are write-protection utilities used in the acquisition of digital forensic data. These utilities enable examiners to create images of media devices without the risk of accidentally writing to the subject media and thereby altering the contents [16].

Several forensic techniques have been developed to help investigations such as string search, memory forensics, file extraction, feature extraction, and cross-drive analysis [17], [18], [19], [20]. These techniques increase the utility of captured data in forensics analysis. Memory forensics analyzes information 1152 error extracting samsung pc studio on volatile memory, internal memory inside a computer or mobile device that requires power to maintain. The data stored in the memory changes frequently while the computer or mobile device is operational, which makes it hard to verify the data collected from memory, 1152 error extracting samsung pc studio. This can lead to problems if the examiner wants to run the acquisition process more than once [21]. 

String searching is a process of locating specific ASCII or Unicode strings from text files and directories. These strings can be names, phone numbers, email addresses, country codes, IP addresses, or software installed on a lineage 2 critical error. The examiner can look for any type of key terms or single words, but it can also help spot patterns in a system. Regular expressions can be used to describe patterns in a string. An example regular expression is “/^[a-z0-9_-]/ “ which will look for any string that begins (^) with a lower case letter (a-z) followed by any number (0-9) then an underscore and a hyphen.

 

B.                 mobile forensics

Mobile forensics has its own set of acquisition tools [22], [23], [24]. Imaging, forensic extraction, memory forensics, and string searching can all be applied to mobile forensics investigations. However, there are some differences. Heidisql an error occurred in the application disk drives can easily be removed from a computer system for data acquisition and analysis, and during this process the hard disk drives can be protected using a write blocker utility. A mobile device cannot be processed the same 1152 error extracting samsung pc studio because the internal flash memory is usually soldered onto the circuit board, and removing the flash memory may damage it. Most mobile forensics tools do not require for the flash memory to be removed, but connect the phone directly into a forensics hardware tool, or plug the phone into a computer system running the forensics software [25]. The mobile phone architecture is also different from a standard desktop computer. The mobile hardware supports various radio communications like GSM/CDMA, GPS, Wi-Fi, NFC and Bluetooth. This radio communication capability will generate additional user data on the smartphone. The GSM/CDMA and GPS radios store geolocation data. Wi-Fi, 1152 error extracting samsung pc studio, NFC and Bluetooth may store user account login information and passwords. User data are locally stored on the smartphone’s flash memory. 

C.                mobile forensic tool cellebrite ufed

A commercial forensics tool from Cellebrite was used for the data extraction process in our experiments. The Cellebrite UME-36 Pro is a standalone phone-memory transfer and backup solution that is capable of extracting data from a wide variety of mobile devices [26]. There are three key components for this forensics tool:

·                     Cellebrite UME-36 Pro  – Universal Memory Exchanger 1.2.2.3

·                     Cellebrite UFED Physical Analyzer 3.7.2.0

·                     Cellebrite Phone Detective 1.2

The UME-36 Pro enables logical, password, SIM, file-system, and physical extractions of data from mobile devices. It is a hardware solution for data extraction. The extracted data can be viewed and analyzed with the UFED Physical Analyzer software. UME-36 Pro claims to extract the following data from a smartphone [27]:

·                     Call logs

·                     Contacts

·                     Email

·                     Pattern locks

·                     Bookmarks

·                     Cookies

·                     Text strings from Short Message Error dbus error (SMS) / Multimedia Messaging Service (MMS)

·                     Chat messages

·                     Location data including cell tower locations and usage

·                     Web browser history including records of visited websites

·                     Digital photography, digital videos, and audio files

·                     Text files

·                     Deleted data

·                     Wi-Fi including connection times, base service set identifications (BSSId), service set identifiers (SSID), and Security Modes

·                     GPS information added to media files (geotags)

The UFED Physical Analyzer is software for physical extraction. This extraction creates a single binary extraction file for each embedded flash memory chip, or at least by the address range used by the mobile device.  Unlike logical extraction, physical extraction can bypass the device’s operating system and extract data directly from the mobile device’s internal flash memory. The UFED-extracted data from the device is saved into a hexadecimal file that is later read and decoded using 1152 error extracting samsung pc studio UFED Physical Analyzer application. The images created from the physical extraction process include files deleted by the operating system or user. The images are saved with an .ufd extension. It provides an overview of the mobile-device data with decoding, analysis, 1152 error extracting samsung pc studio, and report generation [28].

The Cellebrite Phone Detective application helps investigators identify a mobile phone by its physical attributes, eliminating the need to start the device and risk device lock or possible data loss. It asks eight key questions regarding the phones’ physical appearance, 1152 error extracting samsung pc studio. It provides the user with a detailed extraction capability per device, connectivity details and device characteristics network error 5120 nokia. The eight visual elements used to identify device are:

·                     Phone type (candy bar, clamshell, slider, tablet)

·                     Body (connection port, cable, charging socket)

·                     Power button (power, volume, camera, keypad)

·                     Miscellaneous (battery cover type, memory card slot)

·                     Basic (Brand logo: Apple, HTC, Acer, LG / network technology: GSM, CDMA)

·                     Camera (type, location, flash)

·                     Display type (touch, non-touch, stylus)

D.                mobile forensic tool Bulk extractor

The forensics software Bulk Extractor (bulk_extractor-1.4.1-windowsinstaller.exe) [30] was also used for analysis of sims runtime error at 132 files. Bulk Extractor is a carving and feature extraction tool that can be used on all kinds of digital media. It can scan disk images (raw, split-raw, EnCase E01, AFF), files and directories to extract useful information without parsing the file system or file system structures. The program can extract phone numbers, email addresses, credit card numbers and URLs from inspection of file contents of any file or file fragments. It can also collect data from compressed files with ZIP and gzip algorithms. The extractor is run on a file system and creates a report directory with feature files. Each feature file contains the location the feature found, the feature itself, and the feature surrounded by its local context (e.g., email.txt, url.txt). The tool is generally used for file identification and cross-drive analysis [31].

E.                 other mobile forensics tools tested

Several other forensics tools were tested for this research project before we selected Cellebrite. Some that offer similar features to the Cellebrite UFED tools were as follows.

viaExtract: This is a mobile forensics tool developed and distributed by viaForensics [32]. It is designed for extracting and analyzing data from Android smartphones. It is distributed as a standalone virtual appliance that runs on a VMware workstation. The pre-installed extraction tools could not properly analyze several Android phones. It would often return an error during the extraction process on our test phones.

Key features:

·                     Temporarily or permanently remove a password/pattern/PIN lock on an Android device running OS 2.2 or higher.

·                     Allow the examiner to forensically image external (SD) and internal (EMMC) storage cards directly from the device.

·                     Allow examiners an additional bypass option on gesture key locked devices.

Oxygen Forensic Suite 2013: This forensics suite is developed and distributed by Oxygen Software [33]. The company specializes in forensic data examination tools for smartphones and mobile devices. The program performed fairly well and could recovery a large number of files (images, video, system files, logs).

Key features:

·                     Displays complete technical information about the mobile device.

·                     Extracts user contact information with all its data: name, occupation, phone numbers, addresses, emails, notes.

·                     Extracts event log data, 1152 error extracting samsung pc studio, phonebook, messages (SMS, MMS, Emails, iMessages).

·                     File browser analyzes user phones, videos, documents and device databases.

Recuva: This is a free program developed and distributed by Priform [34]. It is a disk recovery tool that is capable of extracting files deleted or damaged on media devices. The program can recover a large number of files from the internal flash memory of a smartphone. However, the program does not provide an analysis canon mp210 error e28 for the recovered data. This makes the file analysis very difficult. Several files could not be opened or viewed with the program.

Key features:

·                     Undelete files.

·                     Recover damaged or formatted disks.

·                     Recover deleted emails.

·                     Recover deleted iPod music.

·                     Restore unsaved documents.

·                     Perform deep scan.


 

THIS PAGE INTENTIONALLY LEFT BLANK

A.                controlled experiment with two smartphones

Two smartphones were used for a controlled experiment: an Apple iPhone 4S and a Samsung Galaxy SIII. The following protocol was used to artificially generate data under a controlled environment.

·                     Log into the Android phone with the account [email protected], and the iPhone with the account [email protected]

·                     Connect to NPS wireless network (NGSTV224) and visit 4 websites using default browser

1.                  Nps.edu

2.                  Fark.com

3.                  Yahoo.com

4.                  Npr.org

·                     Take six pictures with built in camera: 6 pictures of the numbers 1, 2, 3, 4, 5, 6. First 3 image files are left unaltered. Second 3 image files manually renamed:

o        testschwamm_pic_4

o        testschwamm_pic_5

o        testschwamm_pic_6

·                     Access files and links from the following website:

http://faculty.nps.edu/ncrowe/testschwamm0114__doc_sample.docx

http://faculty.nps.edu/ncrowe/testschwamm0114__pdf_sample.pdf

http://faculty.nps.edu/ncrowe/testschwamm0114__ppt_sample.pptx

http://faculty.nps.edu/ncrowe/testschwamm0114__wav_sample.wav

 

http://faculty.nps.edu/ncrowe/testschwamm_0114_link.html

http://faculty.nps.edu/ncrowe/testschwamm_0114_pics.html

http://faculty.nps.edu/ncrowe/testschwamm_0114_video.html

http://faculty.nps.edu/ncrowe/testschwamm0114_feat.html

 

·                     Install the following list of software for Android phones:

“Reddit is fun”
https://play.google.com/store/apps/details?id=com.andrewshu.android.reddit&hl=en

Visit 3 postings on www.reddit.com

o   “ELI5: The Amanda Knox Appeal” http://www.reddit.com/r/explainlikeimfive/comments/1wlin9/eli5_the_amanda_knox_appeal/

o   “Why are the wheels of NASA’s Mars rover, Curiosity, wearing out?”

http://www.reddit.com/r/askscience/comments/1wnb8s/why_are_the_wheels_of_nasas_mars_rover_curiosity/

o   “Hey, I am Nikki Sixx from Motley Crue, AMA”

http://www.reddit.com/r/IAmA/comments/1wnsxv/hey_i_am_nikki_sixx_from_m%C3%B6tley_cr%C3%BCe_ama/

 

“Facebook”

https://play.google.com/store/apps/details?id=com.facebook.katana&hl=en

Login and browse.

 

“Google Drive”

https://play.google.com/store/apps/details?id=com.google.android.apps.docs&hl=en

Login/sync and open 3 files

o   testschwamm_ppt1.pptx

o   testschwamm_ppt2.pptx

o   testschwamm_ppt3.pptx

 

“DropBox”

https://play.google.com/store/apps/details?id=com.dropbox.android&hl=en

Login/sync and open 3 files

o   testschwamm_doc1.docx

o   testschwamm_doc2.docx

o   testschwamm_doc3.docx

 

“Youtube”

https://play.google.com/store/apps/details?id=com.google.android.youtube&hl=en

Login and watch 3 videos

o   ‘PSY-GANGNAM STYLE’ http://www.youtube.com/watch?v=9bZkp7q19f0

o   ‘GIFs, now with sound!’ http://www.youtube.com/watch?v=CgVpR4KdLRA

o   ‘BEST DUBSTEP CAT!’ http://www.youtube.com/watch?v=i4SSoWEw5CI


 

“Audible”

https://play.google.com/store/apps/details?id=com.audible.application&hl=en

Login and download/listen to 3 excerpts

o   Bossypants (Excerpt)

o   The Hunger Games (Excerpt)

o   Matterhorn (Excerpt)

 

“Kindle”

https://play.google.com/store/apps/details?id=com.amazon.kindle&hl=en

Login and open 3 PDF files

o   testschwamm_article1.pdf

o   testschwamm_article2.pdf

o   testschwamm_article3.pdf

·                     Upload a text document ‘testschwamm_password.txt’ to root directory of each phone.

·                     Upload zip file containing above text named ‘testschwamm_userdata.zip’ udk error unexpected root directory of each phone

·                     Use the following list of pre-installed software on iPhone:

 

“Youtube”

Login and watch 3 videos

o   ‘PSY-GANGNAM STYLE’ http://www.youtube.com/watch?v=9bZkp7q19f0

o   ‘GIFs, now with sound!’ http://www.youtube.com/watch?v=CgVpR4KdLRA

o   ‘BEST DUBSTEP CAT!’ http://www.youtube.com/watch?v=i4SSoWEw5CI

 

                        “Notes”

Create 3 note entries

o   DVD Movie List

o   Shopping List

o   Test date and homework due date

 

                        “Remind Me”

            Create 3 reminders different dates

o   ‘Reminder 1’ ‘02/01/2014 5:00PM’

o   ‘Reminder 2’ ‘03/03/20145 7:00AM’

o   ‘Reminder 3’ ‘04/05/2014 11:00AM’

The phones were not password protected by the user and no data intentionally encoded or encrypted by the phone. Following use, a factory reset was performed through the phone’s setup menu under “Privacy” or “Backup & Reset”. The reset menu lists all data that will be erased in the process (User account, system and application data and settings, downloaded applications, music, pictures and other user data). The user did not have any selectable options for the reset on any of the phones. The process takes a few minutes after which the phone restarts and resumes normal operation.

Following factory reset, the phones were images with the UME-36 Pro and UFED Physical Analyzer. All images were saved in the tools proprietary format (.ufd).

A total of 61,276 files were recovered from the pre-wipe for the iPhone and 43,165 from the post-wipe. 42,728 files matched path and contents from both pre-wipe and post-wipe. Partial matches were deleted which produced 17,914 pre-reset files and 115 post-reset files that did not match. 36,292 files had a zero size from the pre-wipe and 36,319 files had zero size from the post-wipe. Executable “.app” files found pre-wipe were 24,862, and 8,062 post-wipe. Files relating to the operating system were 29,812 pre-wipe and 27,621 post-wipe. 

Overall, the reset did a good job of removing third-party software. All the picture images 3ware bios drive error text documents were deleted by the reset with the exception of some cache and settings information (YouTube, Facebook).

The Bulk Extractor was used for string search. A number of preference and configuration files were recovered after the 1152 error extracting samsung pc studio but none containing the keywords. “Preferences” can include private user information [35], 1152 error extracting samsung pc studio, but none were seen in the “.plist” preference files.  Table 3 lists some sample files remaining after the reset that could be interesting for forensic investigations. The indirect information can be collected and used to profile a user. A forensic investigator could determine where and how the device was used.


 

File

Description

System/InnsbruckTaos11B554a.N90OS/System/Library/PrivateFrameworks/Preferences.framework/SupplementalLocaleData.plist

Location and language settings

System/InnsbruckTaos11B554a.N90OS/usr/share/mecabra/ja /rerank.dat

Resource rankings?

Data/Data/Keychains/keychain-2.db

Keys

Data/Data/logs/lockdownd.log

Security event log

Data/Data/mobile/Applications/B8AD4B05-2518-4570-8447-7BE2BFDA8F9F/Library /Preferences/com.apple.mobilesafari.plist

Browser preferences

Data/Data/mobile/Library /BulletinBoard/SectionInfo.plist

Bulletin board index

Data/Data/mobile/Library /Caches/com.apple.springboard /Cache.db-wal

Screen cache for user "wal"

Data/Data/mobile/Library /Cookies/com.apple.itunesstored.2.sqlitedb

Cookies for iTunes

Data/Data/mobile/Library/Mail /Content Index

Mail keywords

Data/Data/mobile/Library/Maps /Bookmarks.plist

Map bookmarks

Data/Data/mobile/Library /Preferences/com.apple.identityservicesd.plist

Account information

Data/Data/mobile/Media /PhotoData/changes-shm

Incremental photo data

Data/Data/root/Library/Caches /locationd/consolidated.db

Location data

Data/Data/tmp/MediaCache /diskcacherepository.plist

Disk cache information

                                                                                                                    Table 3.           Sample files from post-wipe iPhone

A total of 5,141 files were recovered from the pre-wipe for the Android phone and 3,578 from the post-wipe. 3,292 files matched path and content from both pre-wipe and post-wipe. Partial matches were deleted which produced 968 pre-wipe and 65 post-wipe that did not match. 227 files had a zero size from the pre-wipe and 278 files had zero size form the post-wipe. Executable “.apk” files found pre-wipe were 396, and 277 post-wipe. Other executable files such as “.dex” files went from 140 pre-wipe to 121 post-wipe. “.so” files from 302 to 254. The reset did not delete any picture images taken with the camera. None of the created text files (.txt. doc. pdf. ppt) was removed. Cache and deleted copies of these file and image components were also not erased. Third-party applications were deleted. However, 1152 error extracting samsung pc studio, following the wipe we could recover files from the Kindle and DropBox applications that belonged to the user. These files should have been deleted along with the application. The fact that files from deleted applications were found post-wipe implies that the wipe process explicitly deleted files, a topic that we will return to in 1152 error extracting samsung pc studio V.

The Bulk Extractor was used again for additional string search. Website links were all deleted in the reset. However, the links for the four visited websites were found in various files pre-wipe. A total of 116 links were found pre-wipe. It is unclear why there were so many duplicate links saved on the phone. The wipe left most of the operation system files intact just like the iPhone reset. Table 4 lists some sample files remaining after the reset that could be interesting for forensic investigations.

File

Description

CACHE/Root/recovery /last_log

Recovery log

SYSTEM/Root /addon.d /blacklist

Four MD5 hash values

SYSTEM/Root/etc/apns-conf.xml

Phone carrier IP address

SYSTEM/Root/etc /audio_policy.conf

Attached audio devices listing

SYSTEM/Root/etc/gps.xml

GPS settings

USERDATA/Root/backup

/pending/journal2114683955.tmp

Data backup

USERDATA/Root/data/com.android.providers.calendar/databases/calendar.db

Calendar data

USERDATA/Root/data/com.android.deskclock/databases/alarms.db

Alarm data

USERDATA/Root/media/0 /amazonmp3/temp/log.txt

Log file of Amazon Cloud Player

USERDATA/Root/media/0/Android/data/com.andrew.apollo/cache/ImageCache/3910b1e0ccab19bc46fd9db27cca49c9.0

Image cache data

USERDATA/Root/media/0/iPhone3G.2013-11-07.16-39-30/Email/108/478/1256.sql

Database script of ours, unclear how it got here

USERDATA/Root/misc /wifi/softap.conf

Access point data

USERDATA/Root/system/users/userlist.xml

User ID information

USERDATA/Root/drm /fwdlock/kek.dat

Lock data

USERDATA/Root/media/0/And-roid/data/com.dropbox.android /files/scratch/09thesis_regan.pdf

Document of previous phone user

                                                                                                      Table 4.           Sample files from post-wipe Android phone

Some smartphones provide run time error 217 variations for reset. A “hard reset” can be performed by using the hardware keys (by a procedure specific to each device). Newer iPhones provide the additional reset options “Reset All Settings,” “Reset Network Settings,” “Reset Keyboard and Dictionary,” “Reset Home Screen Layout, and “Reset Location and Memory”.  All of these options were used and a new post-wipe image was generated. These options deleted an additional 222 files from the phone but did not delete any files listed in Table 3. The additional reset options did not produce any significant further deletions.

The hard reset on the Android phone gave an additional option for a “cache reset”. This option was used and a new post-wipe image was generated terroristi v kirgizii like the iPhone. It did not delete any text and media files put on the device; it only deleted the sixth file of the files in Table 4. Four files with the “db” extension were deleted. The reset added an additional six files (two Bluetooth cache, four “telephony”), but did not do much beyond the regular reset.

B.                 Experiment and data Extraction

Two sets of smartphones were used for the main experiment. The first set of Apple iPhone images was created by the UME-36 Pro and UFED Physical Analyzer. These images were taken from the Real Data Corpus [36], a large-scale forensic corpus. All images were generated from legally obtained smartphones used by real people. The second set was of various smartphones (iPhone, Android, Blackberry) that had been used for other research projects at our school. These phones did not have a SIM card installed on them. SIM cards contain a unique identification number associated with the user’s mobile account and contain the phone number, security data and billing information; phone calls cannot be made without a SIM card, but otherwise the phone will function normally. A few of the phones came with a custom Android operating system (CyanogenMod 10.1), a custom aftermarket firmware based on the Android Open Source Project [37] [38]. The same protocol was used to generate data but no accounts were associated with the Blackberry phones. A Python script was written to convert the Cellebrite proprietary XML report format to the forensic metadata standard DFXML [39]. A taxonomy created [40] was used to 1152 error extracting samsung pc studio files by extension and directory path. The full list of smartphones and the status is listed in Table 5.

 

#

Smartphone

OS Version

Readiness

I1

Apple iPhone 4

iOS 5.1.1

OK

I2

Apple iPhone 4

iOS 1152 error extracting samsung pc studio iPhone 2

iOS 3.1.3

OK

I4

Apple iPhone 2

iOS 3.1.3

OK

I5

Apple iPhone 2

iOS 3.1.3

OK

I6

Apple iPhone 2

iOS 3.1.3

OK

I7

Apple iPhone 2

iOS 3.1.3

OK

I8

Apple iPhone 2

iOS 3.0

OK

I9

Samsung Galaxy SIII

CyanogenMod 10.1

Hard reset

A10

Samsung Nexus

CyanogenMod 10.1

OK

A11

Samsung Galaxy Anycall

Android 1.5

OK

A12

Motorola Atrix 4G

Android 2.2

OK

A13

HTC Droid Eris

Android 2.1

OK

A14

HTC Magic

Android 1.6

Hard reset

A15

HTC Flyer (tablet)

Android 3.2

OK

A16

HTC One

Android 4.1

OK

B17

BlackBerry 8900 Curve

BlackBerry OS 4

Unusable after reset

I18

Apple iPhone 4S

iOS 5.1.1

OK

I19

Apple iPhone 2G

iOS 3.13

Unusable without SIM card

B20

BlackBerry 8100 Pearl

BlackBerry OS 4.5.0.174

OK

B21

BlackBerry 8300 Curve

BlackBerry OS 4.5.0.162

OK

A22

Motorola FIRE

Android 2.3.4

Unrecognized by Cellebrite

A23

Huawei U8500

Android 2.1

OK

A24

Huawei  U8150 IDEOS Comet

Android 2.2

Unusable after reset

A25

Dell XCD35

Android 1152 error extracting samsung pc studio iPhone 2

iOS 3.1.3

Unusable after reset

A27

Motorola Charm

Android 2.1

Totally dead

p28

LG-500GHL

Unknown

Unrecognized by Cellebrite

                                                                                           Table 5.           Full list of smartphone and status (from [41], [42]).

Table 6 list the total counts of pre-wipe and post-wipe files. A large number of files were not affected by the reset. There were four types of partial matches between pre-wipe and post-wipe files (File name and hash, Hash only, File path only, Path ignoring digits). Several unmatched files were found post-wipe which appear to be new records created by the operating systems activity and reset feature. The factory reset does not completely wipe a device. Several files are removed during the reset but others are just renamed and additional new files are added after the reset.


 

File count type

Pre-reset

Post-reset

Total files

349,915

200,987

iPhone files

299,058

176,907

Android files

50,846

24,058

Exact matches pre-wipe and post-wipe

140,320

140,320

Subsequent matches on filename and hash value but not all directories

34,228

36,540

Subsequent matches on hash value alone

9,269

12,911

Subsequent 1152 error extracting samsung pc studio on full path alone

2,849

2,836

Subsequent matches on full path ignoring digits alone

6,448

256

Remaining unmatched

156,801

8,124

                                                                                                                   Table 6.           Summary data from 21 smartphones

The file taxonomy was used to further investigate what types of files are being removed in the reset. The full results are listed in Table 7. Each file path is classified by file extension (E) and directory name of the file (D). 8,346 extensions and 6,445 directory names have a classification. The rest are labeled as “miscellaneous”. Extensions that are longer than 10 characters are ignored.

The reset appears to focus on video and picture images, text documents, copies and temporary files, disk images, log files, XML documents and gaming applications. There is a smaller emphasis on database files, compressed data, audio, source code and data directories, 1152 error extracting samsung pc studio. The reset seem 1152 error extracting samsung pc studio target applications, picture images and temporary files, but not as focused on long-term user data. The reset does not remove explicitly deleted and allowoverride all htaccess internal server error files (which have no content but do have filename and dates). Zero-size files may not be useful for the applications, but could provide partial user information. An empty log file could indicate the user is not using a particular category or parameter in an application.  

A clear time pattern could not be created because the phones were used in various time periods. The Physical Analyzer software also created some issues while analyzing the recovered data. Different versions of the Physical Analyzer would produce different results from the same image. The file access and creation time would be reported differently depending on the Physical Analyzer version, and the root directory name would change between two different Physical Analyzer versions.

 

Type of file extension (E) or directory (D)

Pre-wipe

Post-wipe

E: No extension

36561

21078

E: Operating system

106168

104406

E: Graphics

98618

27522

E: Camera pictures

15443

3967

E: Temporaries

733

159

E: Web pages

1418

680

E: Documents

3089

1233

E: Database

5627

2377

E: Spreadsheets

425

356

E: Compressed

601

278

E: Audio

16427

8313

E: Video

303

90

E: Source code

1791

736

E: Executable

3432

2856

E: Disk image

13828

1932

E: Log

599

73

E: Copies and backup

7347

905

E: XML

5193

1045

E: Configuration

20788

18379

E: Games

3741

1048

E: Miscellaneous

7307

3536

D: Root

1012

966

D: Operating system

122625

117701

D: Hardware

1128

319

D: Temporaries

12141

2928

D: Pictures

17950

4328

D: Audio

10812

7814

D: Video

2570

0

D: Web

2714

277

D: Data

18300

9771

D: Programs

3616

2876

0 Comments

Leave a Comment