Tuesday, April 5, 2011

An Interview with Shafik Punja

I’ve been wanting to do an interview with Shafik Punja for quite some time now. Shafik  is particularly well known for his work in the mobile device space with an emphasis on Blackberry forensics. He is one of the people who I call when I get stuck on a mobile device problem. He’s an extraordinarily sharp fellow and is very willing to share his knowledge. He’s an asset to the digital forensics community and a credit to the Calgary Police Service.

Professional Biography of Shafik Punja

A police officer with the Calgary Police Service for over 15 years, Mr. Punja has been working in digital forensics since 2003, and has conducted digital forensic examinations on a wide variety of digital data storage devices and operating systems. In 2005, Mr. Punja began researching and developing analytical techniques for mobile devices and smart phone platforms, and has become an expert in the analysis BlackBerry, among other devices. Mr. Punja has been qualified in the Canadian legal system as an expert in the area of digital forensics, and has been a guest instructor for the Technological Crimes Learning Institute (TCLI) at the Canadian Police College, in Ottawa, Ontario.

AFoD: How did you get involved in digital forensics?

SP: Well, it all started back in about Sept 2000.  I had never owned a computer (well maybe if you count the Commodore 64 back in the 1980s) with a high speed internet connection, until my wife said we should get one so we could communicate with her parents back home.

I was familiar with office productivity applications, and knew what Windows was and had friends that had a computer with Windows 98 with productivity suite, which I used.  But my first real experience at handling a computer came when my wife and I purchased one, and  also got our first high speed internet connection - all in the same day!  At that time the PC that we bought was a mid line machine, 900MHz AMD processor, with 512 MB RAM, and 32MB video card running Windows ME.

During this time I had about 5 years on as a police officer with my agency and was working uniform patrol, with my life centered around shift work.  I also have a passion for online gaming, so after my night shifts, to unwind I would play my share of PC video games.  This eventually wore off after about 4-5 months. I still played but not as extensively and started learning about my computer.  So what's the first thing I did?  Well I read the motherboard manual for our computer front to back and learned what a BIOS was.   I learned how to do BIOS upgrades, which were frowned upon.  I also discovered that I did not have a software firewall so I did some research on firewalls and discovered Zone Alarm which I promptly installed.

Pretty much that launched my interest into learning about the Internet, how it worked, protocols, firewall basics, and learning about data mining or open source intelligence gathering.  It was stunning to discover how much information could be found online about persons, places or things if you just looked hard enough. 
Eventually in 2001, I made a convincing argument to my Inspector at that time, who allowed me to take an distance learning course from the Canadian Police College called Internet Searching Techniques Basic.  I sailed through this course as everything that was contained in the student manual I had already learned on my own.  So it was a nice way to validate self taught knowledge.

I was still in patrol working shifts so I took another distance course offered by the University of Calgary, called Computer Crime Investigations and Computer Forensic Training.  This computer based training course taught me the basics of digital evidence preservation, hash values, hard drive structure, clusters, sectors, and MBR etc.  I finished this course and wanted to learn more! 

So with that in mind, in 2002, I transferred from patrol to a public relations unit, which took me away from shift work and back to a normal lifestyle.  Between 2002 and late 2003 I obtained my A+ certification and my CISSP certification (both on my own dime) and went to Ottawa (covered by agency and the RCMP) to take the basic 3 week Electronic Search and Seizure Course at the Canadian Police College.  I also finished the Intermediate and Advanced Internet Searching Techniques. 

In between I managed to muck around with Linux and teach myself the basics of Linux command line, dual booting Windows and Linux.  Hacking my own root password because I locked myself out of the local user account on the box, breaking the software on both Linux and Windows causing several re-installs and upgrades from Windows 98 to 2000 to eventually XP Pro.

I was lucky that I had an Inspector and a Staff Sergeant that supported my career aspirations.  They both knew that I had a desire to get into the Technological Crimes Unit (TCU) and do digital forensics. They realized that although I was doing a really good job where I was currently assigned, I belonged in another area. In November 2003 I was seconded into TCU and must have done a decent enough job that in March 2004 my transfer was made permanent.  

Since then I haven’t looked back. I have found a career in digital forensics to be the most rewarding, satisfying and challenging work, and would never consider anything else.  Every day there is a new challenge to learn and overcome; the quest for new knowledge and discovery.  And of course there is also the look on the face of the investigators when they ask how did you do that or how did you figure that out....and I just smile...elementary my dear...well you know the rest...:)

AFoD: Did you learn anything during your days working as a patrol officer that helped you become a better forensic examiner?

SP: Hmmm...interesting question Eric.  I have had to give this some serious thought.  My memories about my patrol days can essentially be divided into 2 categories.  Good partners and crappy partners.  It seems that my crappy partners were always bent on never wanting to really investigate anything, or never completing what they started and the left overs falling into my lap to finish up.  Seeking advice from them I realized was like pulling teeth. What this category of partners did teach me is what I would not do with any partner that I was either training out or working with.

Now to the good partners.  They taught me to become meticulous, and tenacious in what I was investigating.  They never offered any advice - rather they worked with me to complete the investigations; I was encouraged to trust my instinct and keep detailed notes about my investigative actions on any file that I was the primary investigator on.

One of the most important things I learned was to interview everyone and anyone that I came into contact with: witnesses, victim's, suspects and accused.  This taught me to appreciate how to extract, confirm and verify details. Every interaction with a member of the public, regardless of their position or reasoning for coming into contact with the police, was an opportunity to practice verbal skills, and experience the non-verbal mannerisms displayed by persons from diverse backgrounds.

So how does that apply to digital forensics?  Well, it’s the investigative mindset.  You see patrol work is primarily responsive policing.  Typically front line patrol officers are reactive policing resources.  They start off the initial investigation by being first responders on a scene. And after, they might continue to carry the case through to its resolution - whether is laying charges, or closing the file without charges depending upon the nature of the information.  In my case I was lucky enough to pick up investigative files and have an opportunity to work in an investigations unit, seconded temporarily from patrol for about 1 year.  I really enjoyed this and knew then that I wanted to investigate things.  I just didn’t know which direction my policing career would take to get me to investigations.

When I realized that technology and crime were the direction that policing was going back in 2001, I started to understand how to use the Internet to search out details about subjects I was pursuing.  And finally ending up working in the Technological Crimes Team (TCT) gave me that ability to assist with criminal investigations that have a technical component.  So having an interest in doing investigations, learned during my patrol days certainly has helped me when I deal with investigators that come seeking help from TCT and me.

AFoD: You've developed a reputation of being a leading practitioner and researcher in the area of mobile device forensics. What captured your interest about mobile device forensics and how did you develop your abilities in that area?

SP: Eric...you have an interesting perspective.  I honestly don’t feel that I have this reputation or am a leading practitioner of mobile device forensics.  But I am truly humbled and appreciative of your opinion.
What captured my interest in this area resulted from getting requests for extracting data from cell phones, blackberry and other pda devices.  This started around 2004 just after i got into tech crime. I remember speaking with my, then unit supervisor (now retired) and telling him that mobile devices are going to be the next big wave in forensics.

This precipitated finding software to do extractions of such devices such as manufacturer specific tools (PST), SIM Card software like SIMCon, BitPim, mobilEdit!, Oxygen Forensic (when they were all free); reading Svein Willassein's invaluable papers and not to mention Eoghan Casey, whom I recall as documenting in one his early digital forensics books on cell phone forensics and sim card analysis. 
Within a matter of months the TCT for the Calgary Police Service had gone from knowing very little about cell phone and sim card forensics to having a basic working grasp on how to extract the data.  Our trouble at that time was finding proper analytical tools that could parse the content.  Pretty much there was only Paraben, which in its older toolkit had PDA Seizure and Cell Phone Seizure, which is now combined into an integrated product called Paraben Device Seizure (PDS).

One of the ways in which I developed my abilities was to learn as much as I could about cell phone data extraction and analysis.  What information did the mobile device store versus the sim card?  What was the best method of processing an on state device versus an off state device? Short of Faraday shielding, I learned that Airplane Mode (or its equivalent) was a good method in radio isolating a device.

I also adapted concepts from general computer forensics and applied them in standard operating procedures for mobile device analysis, like device date/time verification against actual, manual verification of data extracted against the handset, photographic capture/documentation of any data not extracted, and following the concepts of most forensically sound process to the least forensically sound process.

It wasn’t until the late summer of August 2006 that I took my first real cell phone analysis course taught by the infamous John Thackray, who was at that time an instructor for Micro Systemation (XRY).  That course essentially grounded all the concepts that were self taught and verified that what I had learned through all the forums, white papers and numerous other electronic and print sources was correct.  In essence I had followed sound practice and methodology as best as one could with the tools that existed.

In December of 2007 a mentor and very good friend of mine, encouraged me to write a small article on cell phone forensics based on what I had learned.  Well that article turned into a white paper that I co-authored with Rick Mislan in SSDFJ.  It was my first attempt at documenting general mobile device concepts and analysis procedures.  What I didn’t know was that this was just the start.

Not soon after, whilst I was doing some guest instruction at the Canadian Police College in Ottawa, several questions were posed about the structure of the BlackBerry IPD file.  It was then that I realized there really was not a single source document that talked about BlackBerry forensics, the BES, or even a detailed overview of the IPD structure.  This realization spawned another research project with several LE colleagues and culminated in a presentation at MFW 2009 on BlackBerry Forensics.

In summary exposure to an overwhelming number of devices since 2004, lots of self based learning through white papers, guidance from colleagues and peers, and determination allowed me to develop my abilities. 

AFoD: You've engaged in a considerable amount of research in the area of Blackberry forensics. What's the current state of digital forensics tools and methods for Blackberries?

SP: Eric, I have been doing Blackberry forensics for the last 6-7 years now.  I remember starting to see BlackBerry devices as early as 2004.  From that time onward, I have not observed any one entity or commercial group really tackle the logical data extraction and parsing for this device.
One of the earliest methods of analyzing blackberry data was to "mount" the backup IPD file inside a BlackBerry simulator through a virtual USB connection.  In 2004 really no tools supported parsing the IPD structure.  Then through the forums ABC Amber BlackBerry Converter was being mentioned as the best solution, with a low cost. 

It essentially did what no "forensic" tool could do at that time and even up to recently.  Between 2004 and up to 2010 we have the following state of BlackBerry forensics:

1. The developer and creator of the ABC Amber BlackBerry Converter appears nowhere to be found.  My last communication from him was received at the end of September 2010.  Any attempts to purchase the software fail.

2. None of the major forensic vendors either on the computer side or the mobile device side have really taken the time to properly decode the BlackBerry IPD file structure. 

2a. EnCase as of now at version 6.18 still does not support the decoding of this file.  There are two third party scripts that do a decent job of parsing the IPD.

2b. FTK 3.2 just started supported parsing of the IPD file but only decodes a certain number of databases.

2c. Paraben Device Seizure, Oxygen Forensic Software, UFED Physical Analyzer Pro only support parsing a select number of databases within the IPD file.

3. There is a distinct lack of a standalone product which can properly read, decode and display the parsed data to the investigator at a decent price.

I know that my own research along with that done by my colleagues has determined that not all the data present within the IPD structure is being parsed.  Part of the reason I believe, is due to the fact that very poor documentation exists on its structure.  So this requires some significant time and effort, where the generated test data that is decoded needs to be validated against not only the device that generated the IPD file but also across different OS versions.

Here is a list of commercial software that supports parsing of an IPD file created with either BlackBerry Desktop Manager or UFED Physical.

1. Cellebrite Physical Analyzer Pro Software

2. EnCase Script by 42 LLC available for free from their website

3. FTK 3.2 - ensure that compound files are checked off otherwise it wont work

4. BK Forensics, Cell Phone Analyzer

5. Oxygen Forensic Suite Analyst Version

6. Paraben Device Seizure

Free tools that will parse IPD files to varying degrees:

1. IPDdump

2. MagicBerry

Beyond the tools, there is no BlackBerry Forensics book.  This smart phone device has been around longer than the iPhone and Android devices and yet there are numerous whitepapers and 2 books on iPhone Forensics, and a forthcoming book on Android Forensics. I approached both O'Reilly and Syngress about publishing the research conducted in 2009 as a book.  Unfortunately neither publisher expressed interest in the manual.  Thankfully around September 2010 a well respected peer and colleague approached me about publishing this research to which he has taken on securing an editor, who has already reviewed the manual.  I hope to have the 2009 research published finally by the end of 2011.

AFoD: That's great news, Shafik. The community could really use a good book on Blackberry forensics. You're also involved in a tool development project for Blackberry forensics.  Can you tell us more about that effort?

SP: My research colleague and myself and have been involved in understanding how to deconstruct the blackberry IPD file and parse the user data. Unfortunately there is very little documentation on it. The technical article provided by RIM only outlines the header data and how to understand the basic structure of the data record block.  It does not provide the structure for example, for call records and call record variations (incoming, outgoing, missed).

So obviously we will have to develop our own documentation on how to decode the values and parse out as much data as is retained within the IPD file. I would love to talk to you about the tool.  However at this time, we’re just trying to find ways to bring new capabilities to the market that will enhance the search for data on the BlackBerry.

AFoD: Got it. You could tell me, but you'd have to kill me. A common theme that I see on the digital forensics email lists is confusion over what tools work best for mobile device forensics.  What sort of tools are you finding the most useful for your examinations?

SP: The tools that I find the most useful for my examinations at the current time are:

1. Cellebrite - good general purpose tool
2. .XRY Complete - good general purpose tool
3. Lantern - iPhone specific
4. Secure View 2 - good general-purpose tool
- Both Cellebrite and .XRY support certain models for physical level analysis; they dont do every phone in that manner. 

Flasher Boxes
1. UFS/Tornado - good for physical level binary dumps of specific supported models of cell phones

For iPhone Backup Files:
1. Mobile Sync Browser (Windows and Mac)
2. Juice Phone (Mac)
3. iPhone Backup Extractor (there are 2 apps with the same name made by different companies, unrelated to each other)
3a - iPhone Backup Extractor- (Windows, Mac and Linux)
3b iPhone Backup Extractor - (Mac)
4. iTwin - (Windows)

iPhone (NOT Forensic Tools)
1. Phone View (Mac)
2. iPhone Explorer (Windows, Mac)

Photographic
1. Fernico ZRT

SQLite Database Analysis
1. SQLite Personal Expert - Free verison (Windows)
2. SQLite 2009 Pro (Windows)
3. SQLite Spy (Windows)
4. Base (Mac)
5. Froq (Mac)
6. SQLite Database Browser (Mac, Windows, Linux)

BlackBerry IPD Parsing
1. ABC Amber BlackBerry Converter
2. UFED Physical Analyzer Pro
3. 42 LLC EnScript for IPD Parsing in EnCase
4. Paraben Devices Seizure - only for IPD parsing as last resort
5. Magic Berry (Windows)
6. IPDdump (Windows, Linux, Mac)

Cell Phone/Smart Phone Binary File Analysis
1. UFED Physical Analyzer Pro

Data Carving Cell Phone Files
1. Phone Image Carver
2. FTK 1.81.6
3. EnCase

Now this looks like a lot of tools that I have listed.  And yes I have used each and every one of them depending upon what I needed to do.  The tools that my agency has in its arsenal are also dependent both on our software budget and the types of mobile devices that we encounter.  As you well know that no one tool does it all.  So its good to have several toolkits that attempt to cover the most number of devices that you are encountering.

AFoD: What sort of advice would you give to someone who is already proficient in traditional computer forensics such as Windows forensic analysis, but wants to become proficient in mobile device forensics?

SP: Traditional computer forensic skills provide an excellent foundation for mobile device forensics. Several things to consider though are the following:
· Mobile device forensics is not static forensics in that you cannot "write-protect" a mobile device currently
· Every user action on a live device can cause unintentional changes to memory - this is unavoidable, try to minimize this impact by doing some research about the device ahead prior to analysis
· Mobile devices can be susceptible to remote manipulation or wiping if they are not isolated from all wireless connections
· If you end up altering data on the device due to "fat-finger syndrome" - document it!!!
· There is no all-in-one solution that does every single device that gets everything from the device
· There are different levels of analysis as identified in the tool classification system white-paper by Sam Brothers: Manual Extraction (capture contents of device display), Logical Extraction (file system only), Physical Extraction (hex dump), Chip Read, and Micro Read.
· As you move along this continuum, the methods become more technical and the tools become more expensive
· Don't forget to utilize traditional computer forensic tools in data carving or data parsing (iLooKIX, EnCase, FTK, WinHex, ProDiscover etc)

AFoD: Do you have particular books, blogs, training programs, and the like that you can recommend?

SP: Books
Just like there is no all in one tool for mobile devices, there is no all in one book for mobile devices. There are platform specific books that one can purchase specifically for iOS devices, Android and hopefully soon to be BlackBerry. :)
1. iPhone Forensics - Jonathan Zdziarski
2. Mac OS X, iPod and iPhone Forensic Analysis - Ryan Kubasiak
3. iOS Forensic Analysis - Sean Morrissey
4. iPhone and iOS Forensics -  Andrew Hoog, Katie Strzempka - release date June 2011
5. Android Forensics - Andrew Hoog - release date June 2011

Blogs and Forensic Groups
1. Mobile Telephone Evidence
2. Mobile Device Forensics
3. Mobile Forensics Central - operated by Teel Technologies
4. viaForensics
5. OS X Forensics Blog
6. Mobile Forensics Inc
7. Katana Forensics Blog
8. E-Evidence - contains a large repository of links, papers etc
9. Yahoo Cell Phone Forensic Groups - need yahoo account
10. SANS Forensic Blog
11. Small Scale Digital Device Forensics Journal
The above list is certainly not exhaustive. I encourage any of the readers to examine these links to find more.

Training Classes
1. Teel Technologies
2. viaForensics
3. MFI - Mobile Forensics Inc
4. SANS Mobile Device Forensics 563
5. Cellebrite
6. XRY Microsystemation
7. Katana Forensics - specific to iOS Forensics
8. BK Forensics
9. Canadian Police College - Cell Phone Seizure and Analysis Course
10. Search.org - has basic 101 type classes on cell phone seizure and analysis

Again, the list above is not exhaustive - it contains both vendor specific and vendor neutral training. Gear your training to what you are encountering in the lab, if it all possible.  Much of the basic level knowledge can be acquired also by reading the many white-papers and resources that are available through the links.

As one of my esteemed and learned colleagues always says: "No man is an island".  This means that having a wealth of forums and groups that you can participate in will help you as well, especially if you’re stuck.  You can’t know it all or be expected to know it all.  However, what I would expect analyst to know is the basic tenets/foundational principles for digital forensics, which can be learned from the online resources. One last thing: there have been updates to both Cellebrite and XRY products regarding BlackBerry IPD file parsing. Cellebrite 2.0 can parse more of the IPD file than its 1.x predecessor. XRY 5.4 will now parse an imported IPD file under the BlackBerry/RIM profile.  Although its a little unclear on how to do this unless you read the release notes.

AFoD:  As you look out over the next five years or so, what do you think mobile device forensics is going to look like given all of the innovation that we've seen not only from companies like Apple, Motorola, and the rest but from the companies that provide tools and training for mobile device forensics?

SP: Given the inevitable convergence of mobile platforms with the traditional operating systems, like iOS for example, the distinction between traditional computer forensics and mobile device forensics will not be so cut and dried.  In both type of digital forensics there is the common theme or element of live forensics.

Further, the use of solid state drives (that contain nand memory components) on desktop and laptop hardware, is already present in mobile platforms and their tablet cousins. This means that smart mobile and tablet devices will exceed the 64GB storage capacity in no time.  Examination of such devices will take almost as long as traditional data storage devices.  So don’t expect it to be quick and easy like it was several years ago pre 2007 where you could do at least 2 -3 phones a day through logical level analysis.

I think that flasher box and chip level analysis is going to become not only more affordable, and will become another widely used option for data extraction from almost any device that uses nand chips.  This will allow for recovery of deleted artifacts, but on the other hand this analytical method will require more training and will be considered an advanced method for analysis.  We might also find the Cellebrites and XRY's add in parsing capability for these binary dumps into their toolkits.

Consider that Teel Technologies is already doing flasher box and chip level extraction research and development in order to provide quality training, knowing that digital forensic techniques for mobile devices are going to this level.

Now some readers might be thinking, why is going to such a lower level for data extraction required?  The logical (or allocated) data might sometimes be not enough.  As it was in one important case that I worked on, where the binary level reads done by Cellebrite Physical was critical.  With Ron Seber's (Co-CEO of Cellebrite) assistance, I was able to decode and recover deleted pictures, text messages, contacts and call history from the nand memory chip of a Samsung device.

Another thing for the reader to note is the integration of mobile device artifact extraction and analysis within the traditional digital forensic tools.  Examples are EnCase and Access Data's FTK 3.x product.  They have already been doing this for the last several years, but are adding more capacity.  The MPE+ product for Access Data (developed in conjunction with MFI) is, I feel, another toolkit for the analyst that might be worthy to possess. 

With the ability of mobile device platforms, specifically becoming like the operating systems that we are familiar with, we can leverage tools like CacheBack (SiQuest Corporation) for analysis of Internet history, web pages, and Facebook Chat recovery.

And lastly we have already seen platform specific analytical tools like Lantern (Katana Forensics) developed specifically for iOS devices.  I don’t doubt that you will likely see one for the Android and BlackBerry devices as well. 

The only challenge will be this:  How much budget money does one have to be able to have a wide array of tools?  It is an accepted fact that the more tools you have at your disposal the more likely you are to be able to successfully analyze a device or a fixed system.  Software and hardware tools that allow us to do our jobs can be expensive, just like the training required in this area.

AFoD: What can we expect to see from you in the next year or so?

SP: I hope to have the 2009 research published and ready for MFW 2011.  If all goes well look for the book in Myrtle Beach for its opening debut. After that the book will only be available as a hard copy from the publishing arm of SiQuest Corporation. Or alternately if you take a Teel Technologies BlackBerry Forensics Class, it will be provided as part of the class content in the future.

Expect more R n D being done on smart phone devices in general.  This includes chip read methods, and analysis.  I am assisting where needed on this project, which is being led by my learned, esteemed colleague and very good friend Detective Bob Elder from Victoria Police Department (Victoria, BC.).  Both Bob and myself have our own private sector companies that do R n D as well as training.  We are lucky that our respective agencies have allowed us the privilege of doing this.  It benefits our LE agencies as well as us especially when it comes to expertise and qualifications.

The intent behind this method is to address any data storage device that uses NAND storage flash memory.  If we can remove the chip, read it and apply the correct flash translation layer algorithms then we can recover the data.

There are a number of mobile forensics training courses that are being offered by Teel Technologies from the basic 101 type classes to the advanced classes for the BlackBerry, iPhone and Android platforms.  For those readers that are interested, check out www.teeltech.com.  Teel has Mobile Forensics Central database repository where examiners can make query mobile devices to see which tools work with which devices. 

Teel also has a specially designed Advanced BlackBerry Forensics training course that was first given to the members of the US FDA back in January 2011.  I designed this course based on the work that I have done in this area over the last 6 years.  The course content consists of 10 chapters/modules, with over 500 pages of material, which includes concepts on OS 5 and OS 6 and BlackBerry Messenger data extraction and parsing.

Also keep an eye out for CacheBack (developed by John Bradley of SiQuest Corporation).  This is an excellent Internet history, web page reconstruction and Facebook Chat recovery tool.  I have observed this tool mature from its 2.x version to a much more stable and faster 3.5.x release where it now supports parsing of Safari, Firefox and Google Chrome artifacts from a Mac OS X system.  It simply amazes me how quickly John is able to release updates to his product and respond to any bugs or issues with CacheBack.  I know that when I have identified something, he usually has an update release within 48 hours.  I see that as dedication and commitment to one's clients.

The BlackBerry research will continue onward in conjunction with my very close friend and research colleague, Sheran Gunasekera.  He has a very informative blog which contains scattered thoughts on security, and also includes forensics.

Overall, I'm very excited about all the research and tools coming out this year.  The BlackBerry is no longer the blackbox system that it used to be.  My hope is that other examiners are able to benefit from my research and tackle forensic examinations of the device with a little more ease.