Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Informatica forenseMobile Forensics - Approfondimenti tecnici
e particolarità degli smartphone
Udine, 11 maggio 2015A cura di Matteo Brunati
2
Me, Myself & I
● IT Security consultant– Design & development of IT Security solutions
– IT Security consultancy: EH, Computer Forensics, Crypto Currencies, etc.
– Business Innovation R&D
– Seminars, courses
● Certifications: ISACA CISA (almost...)● Pubblications: lcFE (2001-2004), OISSG ISSAF (<2006),
Bachelor Thesis (ICME'10)● Scout and Judo, from time to time... ;)
6
Digital Evidence: Examples● E-mails● Documents● Documents meta-data: EXIF, documents author/date/...,
PDFs informations, ...● Internet browser history● SIM card● Memory: RAM, HDD, SSD, ...● GPS tracks● Media files (video, audio, images)● Aircrafts Black Box● ...
10
Forensics Acquisition● Identify the device to acquire: photos, hardware infos
(IMEI, brand, serial #, etc.)● Try to leave the device in the power state it's found
– If turned off: 1) Remove battery 2) Remove SIM card 3) Remove SD Card
– If turned on: Isolate it
● Phone isolation: airplane mode (modify phone state), faraday cage, tinfoil, jammer
● Use Write Blocker whenever possible:1) Hardware 2) Software
● Acquire device date and time
11
Hardware Tools: Faraday Bag/Box
12
Hardware Tools: Write Blocker
13
Hardware Tools: Jammer
14
Mobile Device Components
● Device informations: Hardware● SIM card: SIM cloning, SIM Acquisition● Flash card: custom hardware/software
– Logic
– File system
– Physical
● Mass storage: usual DF techniques● Cloud: depends...
15
Software Tools: Proprietary
● Cellbrite UFED● Micro Systemation XRY● Oxygen Forensics● MOBILEdit● ViaForensics: Android, soon iOS● Katana Forensics Lantern: iOS
16
Software Tools: Open Source
● Logical acquisition (your Linux machine, Santoku)– iOS: libidevicebackup (for enc. bkps ElcomSoft
Password Recovery Bundle)
– Android: adb, AFLogical OSE
– External mass storage: dd, dcfldd, Guymager
● Physical acquisition: Android Forensics, Physical Techniques RIP
17
Software Tools: Open Source (cont'd)There is no “does everything” tool● Image analysis:
– iOS: libidevicebackup, iPBA2
– Extrenal mass storage: Autopsy
● Carving: foremost, scalpel, ks, Photorec, Bulk Extractor, etc.
● Apps: skype, whatsapp (WhatsappXstract, Backup Text for Whats), viber (Backup Text for Viber), AFLogical OSE
18
Carving
Recovering data from disk – the raw way ;)● Doesn't care about partition types● Doesn't care about deleted/existing files
– We just need that the file has been saved at least once on the file system
● Search for the file magic number [1], [2]● Recover as much as possible of the file
remainings
19
SSD nightmareThe SSD physical and controller chips properties makes very hard and sometimes unpredictable to retrieve deleted data.● Wear levelling● TRIM
But it is not always the case, it depends on :)● Operating System type and version● SSD drive● File system type● ...
20
Android examples: broken screen
How to access and Android devices with a broken screen?→ Emulating user inputs :)
$ adb shell input keyevent 26 # power$ adb shell input text <PIN> && adb shell input keyevent 66 # input PIN and hit enter
$ adb shell input keyevent 4 # back$ adb shell input keyevent 82 # settings$ adb shell input keyevent 20 # down$ adb shell input keyevent 20 # down$ adb shell input keyevent 66 # enter
ADB Shell Input Events, KeyEvent
21
Android examples: unlock device
● Android <= 4.2.1● Original work: kosborn/p2p-adb● GUI:
– x942/p2pgui
– raider-android-backup-toolby c0rnholio
22
Android examples: AFLogical OSE
??? → TextSecure ;)
23
Android examples: Whatsapp
24
Android/iOS example: Telegram (1/2)● Photos shot from secure chat
– Android: saved system photo gallery
– Recovered with carving
● All chat messages– Stored in clear text on the SQLite DB
– Retrievable from memory dump
● Deleted messages:– Android: only from RAM dump
– iOS: still in SQLite DB
iOS: Telegram Investigation
Android: Telegram App Store Secret-Chat Messages in Plain-Text Database
25
Android/iOS example: Telegram (2/2)
26
Anti-forensics: Android
● Network traffic: Orbot + Orweb/Firefox Add-on, VPN● SMS/Messages: TextSecure, ChatSecure,
Telegram(*)● Phone calls: RedPhone, Ostel● Steganography: Pixelknot● Cleaning: CCleaner● ...
(*) Only the network traffic is cyphered
27
28
[email protected] are hiring