Using network traffic to verify mobile device forensic artifacts

This paper presents a method of device type verification via network behavior examination. This work is compared to methods and applications like nMap or xProbe, because it is capable of discerning mobile operating systems (OS) by using both active and passive network traffic. Our approach, which is based on repeatable experiments, suggests that the three major mobile OS vendors (i.e., Android, iOS, and Microsoft) down throttle the network response of some network traffic sent to them (e.g., ICMP pings) or requested by them (e.g., streaming TCP/IP) in different ways, likely to conserve battery power. Consequently, it affects the network behavior of the devices and how they handle certain events. We took the following steps as a proof-of-concept: (1) ICMP packets are actively sent to (i.e., ping) or (2) passively received by (i.e., streaming video) Android, iOS, and Microsoft mobile devices, (3) the resulting network traffic is analyzed, and (4) machine learning methods are trained to discern among the three OS types. We demonstrate that this method works well using either actively or passively generated network traffic. This method is more flexible than methods that rely solely on MAC addresses or other historical analysis methods for the identification of mobile OS type.

[1]  Srinivasan Seshan,et al.  802.11 user fingerprinting , 2007, MobiCom '07.

[2]  Nino Vincenzo Verde,et al.  Analyzing Android Encrypted Network Traffic to Identify User Actions , 2016, IEEE Transactions on Information Forensics and Security.

[3]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  William H. Robinson,et al.  Remotely inferring device manipulation of industrial control systems via network behavior , 2015, 2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops).

[5]  Raheem A. Beyah,et al.  Using Network Traffic to Infer Hardware State , 2015, ACM Trans. Embed. Comput. Syst..

[6]  Raheem A. Beyah,et al.  A Passive Solution to the Memory Resource Discovery Problem in Computational Clusters , 2010, IEEE Transactions on Network and Service Management.

[7]  Sushil Jajodia,et al.  A deception based approach for defeating OS and service fingerprinting , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[8]  Lili Qiu,et al.  OS Fingerprinting and Tethering Detection in Mobile Networks , 2014, Internet Measurement Conference.

[9]  William H. Robinson,et al.  The Resource Usage Viewpoint of Industrial Control System Security: An Inference-Based Intrusion Detection System , 2017 .

[10]  Eoghan Casey,et al.  Digital Evidence and Computer Crime - Forensic Science, Computers and the Internet, 3rd Edition , 2011 .

[11]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[12]  Damon McCoy,et al.  Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting , 2006, USENIX Security Symposium.