Mobile Security and Forensics

The goal of the project is to improve the security of mobile devices and software. To that end, we devise and implement, as proof-of-concept prototypes, various types of security mechanisms and frameworks especially attuned to mobile devices, such as cell phones, and mobile agent software. A related aspect to security is the proper retrieval and analysis of data recovered during a forensic examination of these items, when conducted as part of an incident or criminal investigation. In order to meet the quality objectives of forensic laboratories, test materials and procedures are needed for assessing the quality of forensic tools. We perform assessment of the capabilities of mobile forensics tools and devise means for establishing reference test materials and improving test procedures. The production of a variety of guidelines for mobile security and forensics is also an offshoot of the above-mentioned research.

Cell phones, personal digital assistants, and other handheld devices have evolved into highly capable computing platforms increasingly used by the mobile workforce. Each generation of mobile device brings with it new innovations and technologies, and this trend is expected to continue for the foreseeable future. For example, the capabilities of today’s average smart phone greatly exceed those of a few years ago and rival that of older personal computers. Moreover, the number of mobile devices in use today for both organizational and personal use far outstrips that of personal computers.

While the computational, storage, and communications capabilities of mobile devices have evolved quickly, their security features generally lag much further behind. Each year malware and other threats to cell phones and PDAs have turned out to be only a minor concern. However, malware continues to grow steadily and other recent trends suggest that a tipping point is approaching that will raise the stakes for protecting these devices. Their security implications have become a growing concern for many organizations and also many individuals.

NIST has been an active and early player in the computer security area. Mobile device security is a natural continuation of that work. To date, a unified security framework has been developed and implemented that addresses the following security aspects: Multi-Mode User Authentication, Content Encryption, and Dynamic Policy Controls. This and other related work that has be performed provides the core safeguards that organizations can take to manage the security risks and also offers insight into making informed security decisions.

Interestingly, mobile forensics is in many ways the flip side of mobile device security. Data must be recovered from a device in a matter that avoids modification and maintains the integrity of the recovered content. Any security mechanisms that prevent recovery must be circumvented or defeated. Mobile forensic tools are designed to perform these and other functions.

Forensic specialists today operate within what can be termed the forensic tool spiral. New versions of forensic tools are issued regularly by the tool manufacturer. To ensure correct operation of an updated forensic tool, it must be validated. Validation involves populating a sample device with representative test data and confirming successful recovery of the data. Populating a device is time consuming and prone to error, especially if done manually. The situation can delay use of an updated tool until a convenient time for validation. Validation could be expedited, if it were possible to populate mobile devices readily with reference test data and create reference material to use for tool assessment.

NIST work in mobile forensics has focused on developing reference materials and procedures for use in tool assessment and in improving the accuracy of results produced from mobile forensic tools. Recently, we have released a distribution of an application and reference data set for populating identity modules. The reference test data and application was developed to provide a greater amount of coverage than normally done by manual means. The initial results attained by processing commonly-used forensic tools against the populated test data indicate that a variety of inaccuracies exist in present-day forensic tools, which can be uncovered through this approach.