Periodic Mobile Forensics
Use of smartphones and similar mobile devices is becoming ubiquitous within both government and industry, despite the devices’ vulnerability to malicious activity. As more sensitive enterprise information becomes available and accessible on these devices, the risk of data loss increases. Malicious activities on these devices could potentially leave sensitive data exposed. Without an effective corporate monitoring solution in place for these mobile devices, organizations will continue to lack the ability to determine when a compromise has occurred.
The Periodic Mobile Forensics (PMF) system is the result of MITRE research that applies traditional digital forensic techniques to remotely monitor and audit mobile devices. The research behind PMF ultimately attempts to improve the state of enterprise mobile device monitoring. At a high level, an enterprise mobile device with the PMF agent installed sends changed file system data to a remote server or cloud-based instance, allowing for extensive forensic processing and the offline application of traditional tools and techniques rarely applied in the mobile environment.
PMF is an agent-based, enterprise system that performs periodic scans of a mobile device's block devices, identifying changes to specific bit sequences of data. The offset locations of the changed bit sequences are stored in a local database on the mobile device. PMF sends copies of the changed bit sequences to a remote enterprise database for efficient storage and de-duplication. Specialized tools allow an enterprise to reconstruct bit for bit copies (images) of a mobile device's block devices at given times, and then apply traditional forensic techniques to extract audit data from those reconstructed images. Reconstructed images can be compared against previous images, or an enterprise "gold" image to identify malicious artifacts. A framework has been developed to run a set of forensic tools and techniques on the reconstructed images. Results are again stored in an enterprise database and can be used to set up further analysis. Any audit output generated from PMF can be sent to an organization’s central auditing system.
To discuss licensing or collaboration activities, please contact MITRE's TTO.