Who is the owner of the mobile device?

Privacy is the basis of democracy. Therefore, sometimes support forensic software developers gets requests like this:

‘We need Software to identify the owner of smartphone & tablets regarding to the data on the phone to avoid deception. We are working for insurances that send us phones from customers who would like to recover their data. We would like to avoid with your software the customer who sends us the phone of someone else. If you have any ideas how I can do this.’

 

This article will tell how to identify the owner of a mobile device.

 

Who is the owner of the iOS device?

Before you know who the owner of the iPhone you should extract data from it. This can be done by following the instruction ‘Acquisition and forensic analysis of apple devices‘.

After extracting the data from the iOS device, go to the ‘File System’ tab. Follow the way ‘SystemPreferenceDomain’ – ‘SytemConfiguration …’

Figure 1. The ‘File System’ tab of Belkasoft Evidence Center.

In this section there will be several .plist files, some of which contain the device owner’s name (this name is set by the device owner). Click on the preferences.plist file. At the bottom of Belkasoft Evidence Center, click on the ‘plist’ tab, go to the subkey ‘ComputerName’.

Figure 2. The contents of the preferences.plist file.

Click on the file com.apple.mobilegestalt.plist. At the bottom of Belkasoft Evidence Center, click on the ‘plist’ tab, go to the subkey ‘UserAssignedDeviceName’.

 

Figure 3. The contents of the com.apple.mobilegestalt.plist file.

As you can see in Figures 2 and 3, the owner of this iOS device is ‘iPhone User’.

Also, you can extract the data from iOS devices using iTunes.

 

ITunes backups can be found in the following way:

Windows XP: C:\Documents and Settings\%User Name%\Application Data\Apple Computer\MobileSync\Backup\

Windows 7,Vista, 8, 10: C:\Users\%User Name%\AppData\Roaming\Apple Computer\MobileSync\Backup\

MacOS: ~\%User Name%\Library\Application Support\MobileSync\Backup

 

 

ITunes backups look like this:

 

Figure 4. iTunes Backup device with iOS 10 and higher.

Figure 5. iTunes Backup device with iOS below 10.

There is an info.plist file in iTunes backup. It contains the following information [1]:

Device name and display name: This is the name of the device  which typically includes the owner’s name.

ICCID: This is the Integrated Circuit Card Identifier, which is the serial number of the SIM.

Last backup date: This is the timestamp of the last successful backup.

IMEI: This is the International Mobile Equipment Identity, which is used to identify the mobile phone.

Phone Number: This is the phone number of the device at the time of backup.

Installed applications: This is the list of application identifiers on the device.

Product type and production version: This is the device’s model and firmware version.

Serial number: This is the serial number of the device.

iTunes version: This is the version of iTunes that generated the backup.

Target Identifier and Unique Identifier: This is the UDID of the device

 

This file can be opened by any plist viewer. In extreme cases, its contents can be viewed by Notepad or Internet Explorer.

 

Open the info.plist file in Notepad or Internet Explorer and find the subkeys ‘<key> Device Name </ key>’ and ‘<key> Display Name </ key>’. These subkeys will indicate the device owner.

Figure 6. Fragment of the contents of the info.plist file.

 

Who is the owner of the Android device?

The best source of information about the Android device is its physical dump. Much less useful information can be extracted from the backup of this device.

 

There are a lot of ways to get physical dumps and backups of Android devices. Another article will tell how  to do physical dumps and backups of Android devices . Unfortunately, there is no file like info.plist for Android devices. But the information about the owner of the phone can be partially found in many files. Here are some of them [2]:

 

\system\accounts.db (or  \data\system\users\0\accounts.db) : This SQLite database lists all of the accounts that are used on the Android device. The app username and password can be found in this file. As of version 2.3, the password value is no longer plain text but a base64 encrypted value. For an expert, this can be useful information for identifying usernames for specific Android accounts.

Figure 7. The contents of the file \ data \ system \ users \ 0 \ accounts.db. From this file, live records and deleted records can be extracted.

\system\sync\accounts.xml : Android devices give the user the possibility to sync all data across accounts. For an expert, this can create recoverable evidence because the account usernames for apps are listed in this file. The expert can connect the username with the associated app with the help of the information found in the accounts.xml file.

 

\data\com.android.browser\databases\autofill.db : This SQLite database stores user saved information such as name and address information to complete the  forms stored within the browser history.

 

\data\com.google.android.apps.plus\shared_prefs\accounts.xml : This XML file includes the account information for the Google+ account.

Figure 8. Fragment of the file \ data \ com.google.android.apps.plus \ shared_prefs \ accounts.xml

\data\com.google.android.talk\shared_prefs\accounts.xml  : This Google Hangout XML file gives the main information to the Hangout owner and preferences for the account.

 

Conclusion

The article has described how to extract information about the device owner from iOS and Android mobile devices. Most devices contain its owner’s first and last name or at least the first name as ‘Steve’s iPhone’. Very rarely there are records like ‘iPhone user’, ‘Mom’s phone’.

 

A deeper search for the owner of the phone includes an analysis of the phone owner’s accounts in social networks, forums that can be detected using phone numbers and email addresses, browser history, etc., extracted from the mobile device.

 

 

Sources:

  1. Practical Mobile Forensics. Second Edition by Heather Mahalik and Rohit Tamma
  2. Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation by Lee Reiber

 

Authors:

Igor Mikhaylov & Oleg Skulkin