Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici

Informatica forenseMobile Forensics - Approfondimenti tecnici

e particolarità degli smartphone

Udine, 11 maggio 2015A cura di Matteo Brunati

2

Me, Myself & I

● IT Security consultant– Design & development of IT Security solutions

– IT Security consultancy: EH, Computer Forensics, Crypto Currencies, etc.

– Business Innovation R&D

– Seminars, courses

● Certifications: ISACA CISA (almost...)● Pubblications: lcFE (2001-2004), OISSG ISSAF (<2006),

Bachelor Thesis (ICME'10)● Scout and Judo, from time to time... ;)

http://www.oissg.org/files/issaf0.2.1B.pdf

6

Digital Evidence: Examples● E-mails● Documents● Documents meta-data: EXIF, documents author/date/...,

PDFs informations, ...● Internet browser history● SIM card● Memory: RAM, HDD, SSD, ...● GPS tracks● Media files (video, audio, images)● Aircrafts Black Box● ...

10

Forensics Acquisition● Identify the device to acquire: photos, hardware infos

(IMEI, brand, serial #, etc.)● Try to leave the device in the power state it's found

– If turned off: 1) Remove battery 2) Remove SIM card 3) Remove SD Card

– If turned on: Isolate it

● Phone isolation: airplane mode (modify phone state), faraday cage, tinfoil, jammer

● Use Write Blocker whenever possible:1) Hardware 2) Software

● Acquire device date and time

11

Hardware Tools: Faraday Bag/Box

12

Hardware Tools: Write Blocker

13

Hardware Tools: Jammer

14

Mobile Device Components

● Device informations: Hardware● SIM card: SIM cloning, SIM Acquisition● Flash card: custom hardware/software

– Logic

– File system

– Physical

● Mass storage: usual DF techniques● Cloud: depends...

15

Software Tools: Proprietary

● Cellbrite UFED● Micro Systemation XRY● Oxygen Forensics● MOBILEdit● ViaForensics: Android, soon iOS● Katana Forensics Lantern: iOS

16

Software Tools: Open Source

● Logical acquisition (your Linux machine, Santoku)– iOS: libidevicebackup (for enc. bkps ElcomSoft

Password Recovery Bundle)

– Android: adb, AFLogical OSE

– External mass storage: dd, dcfldd, Guymager

● Physical acquisition: Android Forensics, Physical Techniques RIP

17

Software Tools: Open Source (cont'd)There is no “does everything” tool● Image analysis:

– iOS: libidevicebackup, iPBA2

– Extrenal mass storage: Autopsy

● Carving: foremost, scalpel, ks, Photorec, Bulk Extractor, etc.

● Apps: skype, whatsapp (WhatsappXstract, Backup Text for Whats), viber (Backup Text for Viber), AFLogical OSE

18

Carving

Recovering data from disk – the raw way ;)● Doesn't care about partition types● Doesn't care about deleted/existing files

– We just need that the file has been saved at least once on the file system

● Search for the file magic number [1], [2]● Recover as much as possible of the file

remainings

19

SSD nightmareThe SSD physical and controller chips properties makes very hard and sometimes unpredictable to retrieve deleted data.● Wear levelling● TRIM

But it is not always the case, it depends on :)● Operating System type and version● SSD drive● File system type● ...

20

Android examples: broken screen

How to access and Android devices with a broken screen?→ Emulating user inputs :)

$ adb shell input keyevent 26 # power$ adb shell input text <PIN> && adb shell input keyevent 66 # input PIN and hit enter

$ adb shell input keyevent 4 # back$ adb shell input keyevent 82 # settings$ adb shell input keyevent 20 # down$ adb shell input keyevent 20 # down$ adb shell input keyevent 66 # enter

ADB Shell Input Events, KeyEvent

21

Android examples: unlock device

● Android <= 4.2.1● Original work: kosborn/p2p-adb● GUI:

– x942/p2pgui

– raider-android-backup-toolby c0rnholio

22

Android examples: AFLogical OSE

??? → TextSecure ;)

https://santoku-linux.com/

https://viaforensics.com/resources/reports/android-forensics/physical-techniques/

23

Android examples: Whatsapp

https://github.com/PicciMario/iPhone-Backup-Analyzer-2

http://scripts4cf.sourceforge.net/tools.html

http://www.skypextractor.com/

https://code.google.com/p/hotoloti/source/browse/

https://play.google.com/store/apps/details?id=com.smeiti.wstotext

https://play.google.com/store/apps/details?id=com.smeiti.vbtotext

https://github.com/viaforensics/android-forensics/downloads

24

Android/iOS example: Telegram (1/2)● Photos shot from secure chat

– Android: saved system photo gallery

– Recovered with carving

● All chat messages– Stored in clear text on the SQLite DB

– Retrievable from memory dump

● Deleted messages:– Android: only from RAM dump

– iOS: still in SQLite DB

iOS: Telegram Investigation

Android: Telegram App Store Secret-Chat Messages in Plain-Text Database

http://www.garykessler.net/library/file_sigs.html

http://www.garykessler.net/software/index.html#filesigs

25

Android/iOS example: Telegram (2/2)

http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence

26

Anti-forensics: Android

● Network traffic: Orbot + Orweb/Firefox Add-on, VPN● SMS/Messages: TextSecure, ChatSecure,

Telegram(*)● Phone calls: RedPhone, Ostel● Steganography: Pixelknot● Cleaning: CCleaner● ...

(*) Only the network traffic is cyphered

http://stackoverflow.com/questions/7789826/adb-shell-input-events

https://developer.android.com/reference/android/view/KeyEvent.html

27

https://github.com/kosborn/p2p-adb

https://github.com/x942/p2pgui

https://code.google.com/p/raider-android-backup-tool/

28

[email protected] are hiring