19
BRIDGING TRADITIONAL INVESTIGATIONS WITH TECHNOLOGY INNOVATIONS

Verifying Malware Scanning Utilizing Linux (Ubuntu)

Embed Size (px)

DESCRIPTION

Linux Ubuntu’s free built-in capability can natively mount Android phone images so that they can be examined and scanned for malware utilizing common anti-virus software such as AVG. However, mounting the Android image and scanning it for malware requires a certain number of steps that may not be intuitive to all users. This demonstration will provide a step by step process that all users can comfortably use in future examinations, including as a supplement to verify commercial mobile forensic tools’ malware scanning utilities.

Citation preview

Page 1: Verifying Malware Scanning Utilizing Linux (Ubuntu)

BRIDGING TRADITIONAL INVESTIGATIONS WITH TECHNOLOGY INNOVATIONS

Page 2: Verifying Malware Scanning Utilizing Linux (Ubuntu)

MEET THE TEAM

Desiree McGovern – President and Co-Founder

Pete McGovern – Chief Executive Officer and Co-Founder

Carlos Cajigas – Training Director and Senior Forensic Analyst

Page 3: Verifying Malware Scanning Utilizing Linux (Ubuntu)

WHAT WE DO

EPYX Forensics assist clients with investigations

where electronically stored information (ESI) or

monetary issues are relevant.

• Digital Forensics

• Forensic Accounting

• Expert Testimony

• Training

Page 4: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Objectives

• Mount an Android Image using Linux

• Compare AVG, Clam and BitDefender scans

Page 5: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Android Market Share

• Android has 75 percent of the

smartphone market

Source: ZDNet.com

Page 6: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Mobile Malware

• In 2012 malware increased by 580%

• Over 30,000 pieces of malware so far.

Source: TrustGo

Page 7: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Top 3 Most Dangerous Apps

• Talking Tom Cat Free – 50,000,000 Downloads

• Sends phone # & device ID to 3rd party

• Guitar: Solo Lite – 10,000,000 Downloads

• Captures phone number to be sold.

• Brightest Flashlight Free – 10,000,000 Downloads

• Modify homepage & bookmarks, create shortcuts

Source: TrustGo

Page 8: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Permissions

• Talking Santa – 10,000,000 Downloads

• Sends phone # & device ID to 3rd party

Source: play.google.com

Page 9: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Talking Santa

Source: play.google.com

Page 10: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Google’s play Top 500

• 175,000,000 downloads of

High Risk apps

Source: TrustGo

Page 11: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Infected? How do you know?

• Scan with CelleBrite

• CelleBrite uses BitDefender

Page 12: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Scan with CelleBrite

• Results: 331 Infected files

Page 13: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Enter Torrent

• www.virushare.com

• A repository of malware samples

• 6.24GB torrent (May 2013): http://t.co/oklyE1SRHV

• 11,080 apk’s deemed to be malware

Page 14: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Scan with AVG

• 11,080 files scanned

• 456 infections found

Page 15: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Scan with Clam

• 11,080 files scanned

• 5716 infections found

Page 16: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Scan with BitDefender

• 856610 files scanned

• 16748 infections found

Page 17: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Enter Linux

• Can mount Android Images with

an Ext3/4 file system natively

using Linux

• Physical acquisitions from

Cellebrite and MPE+.

• DMG images from LanternLite

(HFSX)

Page 18: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Mounting Android Images

Page 19: Verifying Malware Scanning Utilizing Linux (Ubuntu)

Carlos Cajigas - Contact Information

www.epyxforensics.com

[email protected]

(800) 996-9420

@Carlos_Cajigas

LET’S STAY CONNECTED