androidforensicsandsecuritytesting--phpapp02

8/9/2019 androidforensicsandsecuritytesting--phpapp02

1/93

ANDROID – FORENSICS ANDSECURITY ANALYSIS

Santhosh Kumar


2/93

r00t@b0x : whoami?

Security Researcher for a quite sometime (certs:CEH)

!C at "efcon Chennai#

Current$y %or&in' on R base* Ex+$oitation#

Re+orte* some %eb a++s at icrosoft ,yahoo,inte$,ibm,cisco etc#

Current$y *oin' -ache$ors in Com+uter Science#


3/93

'en*a:

.ntro*uction to an*roi* an* its History#

Stu*y the n*roi* /i$e systems an*

"irectories# -y+ass assco*es ($$ ty+es of $oc&s)#

hysica$ an* o'ica$ *ata extraction

techniquies# Re1erse en'ineer n*roi* a++$ication#

.n*ian cyber aws#


4/93

%hy forensics ? %2H is this?

E1i*ence for $e'a$ +rocee*in's#

/inancia$ Crime#

orno'ra+hy3Chi$* orno'ra+hy (+e*o+hi$es)#

Sexua$ harrasment4 (a'ainst women)

2errorism acti1ity or nationa$ threat#

Cyber threats#

Counter inte$$i'ence# ur*er or other crimes#

E':5eor'ia wie$*man attac&e* @confi*enceconference o$an*#


5/93

.ntro*uction to n*roi*#History ??


6/93

.ntro*uction to n*roi*4History?

%i*e$y 6se* Smart+hone !S with o1er 778 share in 90;#

2he man behin* n*roi* was


7/93

n*roi* /eatures#

n*roi* has &ey features which are usefu$ as theforensic +oint of 1iew#

/eatures $i&e 5S,C",2E,%iax,%ifi,-$uttooth

etc# 5oo'$e $ay Store3n*roi* ar&et is Rich source for

forensic na$ysis#

"ata Stora'e#

/$ash(or nan*) memory #

.nterna$ emory#

Externa$ emory#


8/93

n*roi* !1er1iew:

5$oba$ System for obi$e Communications 5SSubscriber .*entity o*u$e or 6nique Subscriber .*entityo*u$e (S. !R 6S.) to i*entify the user for the ce$u$$arnetwor E':2D,2obi$e (6S) .n*ia-S,.R2E

Co*e "i1ision u$ti+$e ccess C"E':S+rit,1ersion 6S .". 2ata "ocomo,2S .".

.nter'rate* "i'ita$ Enhance* etwor& ."Ewhich is yet to be a1aib$e in in*ia F 6S S+rit#

%or$*%i*e interno+ for microwa1e access %iax6SS+rit .". -S,Re$iance#

on' 2erm E1o$ution 2S (G 5)6S2D2,S+rit,2!-.E,Berion .". irte$,irce$(2"2E)


9/93

n*roi* !1er1iew:S


10/93

n*roi* !1er1iew:++s

2he 2ota$ n*roi* ++s Crosse* !1er i$$ion in !B 90;with another 70000 ++s ub$ishe* in I 90G#

2he other com+etitor,++$e which has the Strict ++ 6+$oa*in'an* Re1iew rocess which can 'o throu'h $on' amount of

time,on /u$$fi$$in' many criteria an* con*tions#Sometimes thea++s are *enie* o1er after $on' re1iew# i!S *oesnJt a$$ow thea++s which are away from the ++ ar&et#

5oo'$e,%hich requires $ess +rocess for submittin' the a++(such as the secure &ey) %hi$e 'oo'$e has the +ower toRemo1e the a++ from the mar&et,-an Hammer the "e1e$o+eran* Remote$y uninsta$$ the a++#


11/93

!S im+ortance

s Sai* Ear$ier !S maintains the*e1e$o+ment an* re$eases new 1ersions an*fixes#

Com+i$in' the !S is the best way toun*erstan* the wor&in' of the n*roi*#

htt+:33

source#an*roi*#com3source3initia$iin'#htm$ ot necessary for the /orensics ana$ysts but

usefu$ for the "ee+ Ex+erimentation#

%e *onJt be "oin' that now

http://source.android.com/source/initializing.htmlhttp://source.android.com/source/initializing.htmlhttp://source.android.com/source/initializing.htmlhttp://source.android.com/source/initializing.html


12/93

inux,!+en source Software in /orensics

!+en source forensic too$s ha1e a$ways been moreeffecti1e in the *i'ita$ forensic *isci+$ine#!+en sourcetoo$s a$ways has u++er han* than c$ose* source

too$s2he ower to Biew the source co*e an* un*erstan*the wor&in' of it#2he abi$ity to share software an* im+ro1e it bywor&in' to'ether with the forensic community#/ree or ow Cost#

inux is not on$y a critica$ com+onent in n*roi* butcan be effecti1e$y use* in forensic ana$ysis#


13/93

.6A comman*s:

n*roi* /orensics in1o$1es

some of the inux &now$e*'efo$$owin' comman*s are usefu$

man

he$+

c*

m&*ir

mount

rm*ir3rm rf

nano

$s

tree

cat

**

fin*

chown

chmo*

su*o

a+t'et 're+

F an*

any more LLLL##


14/93

En1ironment Setu+

6buntu ;93MG bit ( . recommen* MG bit) with n*roi* S"K

6buntu 9#0G (+recise) MG bit runnin' on 1mware31irtua$box

htt+:33www#1mware#com or htt+:33www#1irtua$box#or'

Ha1e at$east 90 5b free S+ace an* 9 5- ram #

Ha1e %in*ows for Some commercia$ too$s (ex+$aine*$ater)

. recommen* Santo&u inux which is a entire hac&in'*istro *e*icate* to obi$e forensics an* Security#

htt+:33www#santo&u$inux#com which is in*ee* ma*e byhtt+:33www#1iaforensics#com a obi$e entestin'

com+any#

http://www.vmware.com/http://www.virtualbox.org/http://www.santoku-linux.com/http://www.viaforensics.com/http://www.viaforensics.com/http://www.santoku-linux.com/http://www.virtualbox.org/http://www.vmware.com/


15/93


16/93

n*roi* rchitecture


17/93

HR"%RE "EB.CES

Smart+hones

2ab$ets

5oo'$e 21 Car u*io Systems

5oo'$e 5$asses

Smart %atch

5S /ri*'e an* %ashin' achine

("/O)

irrors (you Saw it ri'ht :)cybertecturemirror#com

Cameras

5ammin' conso$es

"EC2 +hones(a n*roi* an*$ine)

Smart 2BJs

a P00Q an*roi* *e1ices


18/93

R! -ootin' +rocess

Stoc& Rom 1aries frommanufacturer to manufacturer

cuta$$y hone bootin'+rocess#

Short Se1en R! bootin'+rocess

ower on an* boot R! co*eexecution

2he boot $oa*er

2he inux &erne$

2he init +rocess

y'ote an* "a$1i&

2he system ser1er

-oot com+$ete*


19/93

R! bootin' +rocess

htt+:33www#an*roi*enea#com3900>30M3an*roi*boot+rocessfrom+oweron#htm$


20/93

n*roi* ++$ication Security o*e$

n*roi* at the insta$$ation of the ++(#a+&) chec& for the*e1e$o+ers unique si'nature# (ot C)#

ext it 'i1es out the *is+$ay of the an*roi* a++ fi$e +ermission#2he source is $ocate* in the an*roi*manifest#xm$

2his fi$e is the +otentia$ when it comes to forensic ana$ysis an**etermine the +ermission(ma$icious a++)#


21/93

++$ication +rocess

Ouic& re1iew of the an*roi* a++ execution#

E1en thou'h n*roi* a++s are ma*e in a1a but they are notexecute* in a1a format#

Each a++ 'ets a unique $inux ."(ui*) an* 5rou* ."('i*)#

5ets own *e*icate* +rocess an* *e*icate* *a$1i& B#

2he ++ "ata 'ets store* in "ata 3*ata3*ata3a+++rocessaccessib$e on$y by 6." an* 5."#(root exce+tiona$)#

++s can share the *ata with other a++s usin' content

+ro1i*ers#


22/93

Some fi$es which is usefu$

Cache#im' :*is& ima'e of the 3cache +artion#

S*car*#im':*is& im' of the cache +artion(im' here is from B"emu$ator)

6ser*ataemu#im': *is& ima'e of the *ata +artion#

L# 6sefu$ in the areas of forensics


23/93

6S- connection of the e1i*ence *e1ice

"ifferent "e1ices ha1e *ifferent o+tions#

2he common four areChar'e on$yfi$e transfer

Sync.nternet tetherin'#

Chec& the connection to the hostby ty+in'


24/93

Chec&in' 6S- connection


25/93

recautions : (must nee*e*)

a&e sure to "isab$e auto mount feature in ubuntu to +re1entautomatic *etection an* mountin' of 6S- stora'e#

E1ery fra'i$e chan'e cou$* $ea* to a$teration of e1i*ence#

Har*ware write b$oc&er usefu$ to some extent#


26/93

S" car* info

ost of the S"CR" *etai$s are store* in 3*ata3

++ *etai$s in 3*ata3*ata(it *iffers :)


27/93

n*roi* "ebu' bri*'e


28/93

n*roi* "ebu' -ri*'e

ost im+ortant com+onent when it comes to an*roi* forensics#

Consi*er it as a swiss army &nife for forensics an* securityana$ystis#

Enab$e usb *ebu''in' *e1e$o+er o+tions usb *ebu''in'#

2his wi$$ run a*b* (*aemon) on the *e1ices#

*b* runs on the user account(6.") un$ess +romte* with theroot +ri1i$e'es#

.f your *e1ice is $oc&e* then it is *ifficu$t to un$oc& usb

*ebu''in'#(not 008 im+ossib$e)


29/93

"- com+onents

*b* on the *e1ices#

*b* on the wor&station#

*b on the wor&station#

*b is free,+rimary too$ for forensics an* ofcourse o+ensource


30/93

*b she$$ exam+$e

*b she$$ 'i1es out $ot of information(*e+en*s on root or not)#

2he "ata fo$*er is usefu$ when you are roote*#


31/93

"ata from a*b

Sms History ("e$ete*)#

Contacts(com#+hone#an*roi*)

Ca$$ historyrecei1e*,*e$ete*,misse* etc#

"ataboo&

E1ents#

Ca$en*er#


32/93

/i$e Systems

ot of fi$e systems in the an*roi* o+eratin' system#

ore than a *oen is in use#

2he main three areEA2/2;9T//s9 Source for the user *ata


33/93


34/93

"ata Stora'e metho*s

2he main metho*s where sensiti1e *atastore*#

Share* +references

.nterna$ stora'e

Externa$ stora'e

Sq$ite;

etwor&


35/93

Share* +references

.t is where a$$ the *ata which is share* between the a++s arestore*#

Key 1a$ues are store* in A fi$es


36/93

.nterna$ Stora'e

Common in most of the systems :ext;,extG,yaffs9

6nroote* user cannot access 3*ata3*ata as it isencry+te*#root is nee*e* for 1iewin' the contents


37/93

.nterna$ stora'e

60Na0 is the owner means it is that user whoinsta$$e* the a++


38/93

Externa$ Stora'e

.t has $ess restrictions when com+are* to the interna$ stora'e#

/2 ;9 is common$y foun* fi$e system on the s*car*#

s su''este* ear$ier most a++s *ata is store* here it is betterto $oo& here#


39/93


40/93

SO.2E;some usefu$ comman*s

Sq$ite; *bfi$ename

#tab$es

#hea*ers onFoff

#mo*e

Se$ect U from tab$e

#*um+?tab$e?

#quit

oa*s the *b

Shows the tab$es

2urns hea*ers on3off

!ut+ut mo*e fi$e ty+e "is+$ays the tab$e attirubutes

"um+ the tab$e

Exit the she$$ +rom+t


41/93

Sq$ite; *atbase exam+$e

itt$e catch : sq$ite; is not insta$$e* in rea$ +hones by *efau$t#

/or test con*itions . ha1e use* a1* emu$ator from an*roi*#

2hose *atabases ha1e $ot of tab$es which can be rea$ han*y#

Some nati1e roots ha1e sq$ite; sym$in&e* by *efau$t#


42/93


43/93

o'cat

"is+$ays a$most e1eythin' thatJs been 'oin' aroun* your *e1icein the a*b she$$htt+:33*e1e$o+er#an*roi*#com3too$s3he$+3$o'cat#htm$

Has *ifferent +arameters#

http://developer.android.com/tools/help/logcat.htmlhttp://developer.android.com/tools/help/logcat.htmlhttp://developer.android.com/tools/help/logcat.html


44/93


45/93


46/93

Enab$e usb *ebu''in' when $oc&e* ?? ossib$e


47/93

Enab$e usb *ebu''in' when $oc&e* ?? ossib$e-S2(best smart too$s)


48/93

Crac& the co*es


49/93

6n$uc&y sti$$? Here comes the +assco*es brea&in'4

Bery usefu$ when it comes to forensic4othin' beats this #

Barious techniques for brea&in' an*roi*+assco*es#

/ew wi$$ be *iscusse* here#

2here is no *irect ru$e for brea&in'+assco*es#


50/93


51/93

2y+es of +asswor*s ?


52/93

Crac&in' techniques

Smu*'e attac

attern $oc& 1u$nerabi$ity#

sneuter with a*b,usb *ebu''(if enab$e*)# Crac&in' the +asswor* &ey#

/ace un$oc& +wn with a +icture#

Continues to e1o$1e LLLL


53/93

Smu*'e attac&

Screen(*i'ita$ier) is ref$ecti1esurface,smu*'e(+attern) which *iffuse in the '$ass#

-ein' *ust +artic$e,when ex+ose* to $i'ht ref$ect

them# camera setu+ to ca+ture the o1erex+ose* ima'e

aroun* MP times wi$$ 'i1e a P08 correct ima'e#

.t 'i1es out the *is+$ay +attern#

ot a$ways wor&in',$i&e +$ayin' tem+$e run cou$*remo1e the smu*'e tota$$y#


54/93

Smu*'e attac&


55/93

attern oc& crac&

attern creates a fi$e in 3*ata3system3'esture#&ey

Hash is store* there#if custom reco1ery is insta$$e* $i&e 2%Rreco1ery,C% reco1ery etc#

Remo1e the &ey usin' the rm comman* an* recreate it usin'your own hash#


56/93

attern oc& crac&

Key can a$so be *ecry+te* 4 Some sites *o 'i1eser1ices for free#


57/93

Crac&in' +ins

%hen +asswor*3+ins are use* they are store* in3*ata3system3+asswor*s#&ey

s you can see it is not in +$aintext but as Ran*omQshaQm*W#

ot easy *e+en*s on the nature of +asswor*#

u$$ the sa$t

from3*ata3*ata3com#an*roi*#+ro1i*ers#settin's3*atabases3settin's#*b an* 'et the +asswor* from abo1e#

ut them in the fo$*er an* try to attac& them in +asswor* reco1erytoo$s such as hashcat3ohn the ri++er by bruteforcin' them


58/93

wn face D 1oice un$oc&

ot secure at a$$ when 'oo'$e intro*uce* it in an*roi* G#0#

Re+orte* to un$oc& with the +hoto of the +erson#

fter &it&at an*roi* u+*ate the face un$oc& when to a chan'e where the+erson ha1e to un$oc& by b$in&in' the eye which shows the a$i1e ness ofthe ca+ture* ima'e#

'ain easi$y bro&en by *uc& faces,smi$in' ima'es from faceboo& :


59/93


60/93

5et fRoSte*

/rost Security 2eam was ab$e to brea& the encry+tion bycoo$in' the *e1ice to W c in M0 minutes#

Switch off an* /$ash the /rost Reco1ery#

ot the entire ES &eys are *ecry+te*#Some bits were

*ecaye*#


61/93


62/93

'0t r00t?


63/93


64/93

2y+es of r00t?

2em+ root: 'i1es you root access ti$$ youreboot the *e1ice#

Reco1ery root: custom reco1ery such asc$oc&wor&mo*(C%%),twr+ etc wi$$ 'i1eroot access in the reco1ery#

ermanent root:insta$$ su to the system

$ea1in' a hu'e foot+rint#most custom romsha1e +erm root by *efau$te':cyano'enmo*,omni,+ano*roi* etc#


65/93

2em+orary root

2em+ root is somethin' essentia$ when it come toforensic#(Groot#a+&)

"oesnJt wor& on a$$ *e1ices,test it first before usin'#


66/93

sneturer a tem+ root so$ution#

eturer is a an*roi* ser1er#this a++ ex+$oits that ser1er 'i1in'us a tem+rarory so$ution#

a*b *e1ices

a*b +ush +sneuter 3*ata3$oca$3tm+

a*b she$$

c* 3*ata3$oca$3tm+

chmo* 777 +sneuter

#3+sneuter


67/93

ermanent root

not 'oo* as far as forensic is concerne*#

ea1es a hu'e foot+rint a$terin' the e1i*ence# Search x*a formore roots#


68/93

R00t with binary

5i1es root to a$most a$$ the G#0 to G#*e1ices#


69/93

Kin'o an*roi* root

2his one 'i1es root o1er a$$G#9#x,G#;#x,G#G#x


70/93

n*roi* forensic techniques

o'ica$ an* +hysica$ acquisition#

!+en source too$s an* some commerica$too$s#qt"- n*ri$$er ce$$ebrite

+araben1iaextract L#


71/93

o'ica$ 1s +hysica$ cquisition

o'ica$ +hyscia$

ccess to fi$e systems

"ata which is a$rea*ya1ai$ab$e to user

E':"- +u$$,af$o'ica$

Ex+$orin' thememory,not the fi$esystem#

ore *ata than $o'ica$,bybrea&in' +asswor*s etc

Har*ware an* software


72/93

o'ica$ S*car* anquisition

++s "ata 'ets store* in 3*ata which is encry+te*an* root access#

S" car*s where the user stuffs stays#

(au*io,1i*eo,ma+s)# 6ses cross +$atform /2 /S#

ost bac&u+ store* in S*car*#

#a+&Js in s*car* mi'ht be encry+te*#

6sefu$ *one when ;r* +arty a++s are ana$ysis#


73/93

"- +u$$ $o'ica$


74/93

qt"-


75/93

/$o'ica$

"ata Extraction too$s#

/ree for $aw enforcement a'encies#

Recor*s ca$$ $o's,contact etc#

"E!


76/93

6/E" touch u$timate

6/E" 2ouch 6$timate, enab$es the most techno$o'ica$$ya*1ance* extraction, decoding, analysis and reorting ofmobi$e *ata# .t +erforms !ysical, logical, "ile syste# andass$ord extraction of a$$ *ata (e1en if *e$ete*) from the

wi*est ran'e of *e1ices inc$u*in' $e'acy an* feature +hones,smart+hones, +ortab$e 5S *e1ices, tab$ets an* +honesmanufacture* with Chinese chi+sets#Cost:0000Y


77/93

6/E" whatJsa++ ana$ysis


78/93

"e1ice Seiure


79/93

"e1ice Seiure:Re+ort


80/93

n*ri$$er

a$ternati1e an* a +owerfu$ o+en sourcetoo$#

htt+:33an*roi*#sa#$t3

a*e by Denis Sa%ono& @*enGu&

5i1e it a try you wont re'ret it

"E!LLLLLLL##

http://android.saz.lt/https://twitter.com/den4ukhttps://twitter.com/den4ukhttp://android.saz.lt/http://android.saz.lt/


81/93

hotos

2ry $oo&in' here for more e1i*ence#


82/93

Re1ersin' +&Js

Rename n*roi* a++ (#a+&) to #i+#

Extract i+

Run *ex9ar on the extracte* fi$e# !+en the #ar in a a1a *ecom+i$er#

K2!!

n*ro'uar* +&ins+ector

3


83/93

n*roi*32orec#

/irst e1ery n*roi* base* 2or ma$warewhich was foun* in the wi$*#

REBERS.5 "E!

/ f * i* f i


84/93

/uture of n*roi* forensics

2he future research wor& wi$$ be on theSean*roi*#

Contribute* by ationa$ Security 'ency(S) Ucou'hU

otto to ha1e secure an*roi*#


85/93

% it 4 % it ? % it ?


86/93

%ait 4 %ait ? %ait ?

Sen*roi* was a$rea*y *efeate*#2he CBE 90;M9P9

au !$i1ia Ha* a !C base* a toshiba tab$et runnin' G#; I-#


87/93

.". b $


88/93

.". cyber$aws

"e1ice as tar'et or wea+on

.2 act 9000

.2 amen*ment C2 (900P)

Ru$es un*er MM,G;,7>

SEC2.! MW

htt+:33www#cyberforensics#in3htt+:33*eity#'o1#in3content3cyber$aws


89/93

T

O6ES2.!S?


90/93


91/93

R f


92/93

References:

1iaforensics#com

/orensicfocus#com

ce$$ebrite#com

an*roi*#sa#$t

ex+$oit*b#com

www#"orensicswi&i#or'3wi&i3Cell(+!one N Forensics

da-de&eloers.co#

http://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensicshttp://www.forensicswiki.org/wiki/Cell_Phone_Forensics


93/93

Documents

androidforensicsandsecuritytesting--phpapp02