Using network traffic to verify mobile device forensic artifacts

摘要

This paper presents a method of device type verification via network behavior examination. This work is compared to methods and applications like nMap or xProbe, because it is capable of discerning mobile operating systems (OS) by using both active and passive network traffic. Our approach, which is based on repeatable experiments, suggests that the three major mobile OS vendors (i.e., Android, iOS, and Microsoft) down throttle the network response of some network traffic sent to them (e.g., ICMP pings) or requested by them (e.g., streaming TCP/IP) in different ways, likely to conserve battery power. Consequently, it affects the network behavior of the devices and how they handle certain events. We took the following steps as a proof-of-concept: (1) ICMP packets are actively sent to (i.e., ping) or (2) passively received by (i.e., streaming video) Android, iOS, and Microsoft mobile devices, (3) the resulting network traffic is analyzed, and (4) machine learning methods are trained to discern among the three OS types. We demonstrate that this method works well using either actively or passively generated network traffic. This method is more flexible than methods that rely solely on MAC addresses or other historical analysis methods for the identification of mobile OS type.