mobile forensics - approfondimenti tecnici e particolarità...
TRANSCRIPT
![Page 1: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/1.jpg)
Informatica forenseMobile Forensics - Approfondimenti tecnici
e particolarità degli smartphone
Udine, 11 maggio 2015A cura di Matteo Brunati
![Page 2: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/2.jpg)
2
Me, Myself & I
● IT Security consultant– Design & development of IT Security solutions
– IT Security consultancy: EH, Computer Forensics, Crypto Currencies, etc.
– Business Innovation R&D
– Seminars, courses
● Certifications: ISACA CISA (almost...)● Pubblications: lcFE (2001-2004), OISSG ISSAF (<2006),
Bachelor Thesis (ICME'10)● Scout and Judo, from time to time... ;)
![Page 3: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/3.jpg)
6
Digital Evidence: Examples● E-mails● Documents● Documents meta-data: EXIF, documents author/date/...,
PDFs informations, ...● Internet browser history● SIM card● Memory: RAM, HDD, SSD, ...● GPS tracks● Media files (video, audio, images)● Aircrafts Black Box● ...
![Page 4: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/4.jpg)
10
Forensics Acquisition● Identify the device to acquire: photos, hardware infos
(IMEI, brand, serial #, etc.)● Try to leave the device in the power state it's found
– If turned off: 1) Remove battery 2) Remove SIM card 3) Remove SD Card
– If turned on: Isolate it
● Phone isolation: airplane mode (modify phone state), faraday cage, tinfoil, jammer
● Use Write Blocker whenever possible:1) Hardware 2) Software
● Acquire device date and time
![Page 5: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/5.jpg)
11
Hardware Tools: Faraday Bag/Box
![Page 6: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/6.jpg)
12
Hardware Tools: Write Blocker
![Page 7: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/7.jpg)
13
Hardware Tools: Jammer
![Page 8: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/8.jpg)
14
Mobile Device Components
● Device informations: Hardware● SIM card: SIM cloning, SIM Acquisition● Flash card: custom hardware/software
– Logic
– File system
– Physical
● Mass storage: usual DF techniques● Cloud: depends...
![Page 9: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/9.jpg)
15
Software Tools: Proprietary
● Cellbrite UFED● Micro Systemation XRY● Oxygen Forensics● MOBILEdit● ViaForensics: Android, soon iOS● Katana Forensics Lantern: iOS
![Page 10: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/10.jpg)
16
Software Tools: Open Source
● Logical acquisition (your Linux machine, Santoku)– iOS: libidevicebackup (for enc. bkps ElcomSoft
Password Recovery Bundle)
– Android: adb, AFLogical OSE
– External mass storage: dd, dcfldd, Guymager
● Physical acquisition: Android Forensics, Physical Techniques RIP
![Page 11: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/11.jpg)
17
Software Tools: Open Source (cont'd)There is no “does everything” tool● Image analysis:
– iOS: libidevicebackup, iPBA2
– Extrenal mass storage: Autopsy
● Carving: foremost, scalpel, ks, Photorec, Bulk Extractor, etc.
● Apps: skype, whatsapp (WhatsappXstract, Backup Text for Whats), viber (Backup Text for Viber), AFLogical OSE
![Page 12: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/12.jpg)
18
Carving
Recovering data from disk – the raw way ;)● Doesn't care about partition types● Doesn't care about deleted/existing files
– We just need that the file has been saved at least once on the file system
● Search for the file magic number [1], [2]● Recover as much as possible of the file
remainings
![Page 13: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/13.jpg)
19
SSD nightmareThe SSD physical and controller chips properties makes very hard and sometimes unpredictable to retrieve deleted data.● Wear levelling● TRIM
But it is not always the case, it depends on :)● Operating System type and version● SSD drive● File system type● ...
![Page 14: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/14.jpg)
20
Android examples: broken screen
How to access and Android devices with a broken screen?→ Emulating user inputs :)
$ adb shell input keyevent 26 # power$ adb shell input text <PIN> && adb shell input keyevent 66 # input PIN and hit enter
$ adb shell input keyevent 4 # back$ adb shell input keyevent 82 # settings$ adb shell input keyevent 20 # down$ adb shell input keyevent 20 # down$ adb shell input keyevent 66 # enter
ADB Shell Input Events, KeyEvent
![Page 15: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/15.jpg)
21
Android examples: unlock device
● Android <= 4.2.1● Original work: kosborn/p2p-adb● GUI:
– x942/p2pgui
– raider-android-backup-toolby c0rnholio
![Page 16: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/16.jpg)
22
Android examples: AFLogical OSE
??? → TextSecure ;)
![Page 17: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/17.jpg)
23
Android examples: Whatsapp
![Page 18: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/18.jpg)
24
Android/iOS example: Telegram (1/2)● Photos shot from secure chat
– Android: saved system photo gallery
– Recovered with carving
● All chat messages– Stored in clear text on the SQLite DB
– Retrievable from memory dump
● Deleted messages:– Android: only from RAM dump
– iOS: still in SQLite DB
iOS: Telegram Investigation
Android: Telegram App Store Secret-Chat Messages in Plain-Text Database
![Page 19: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/19.jpg)
25
Android/iOS example: Telegram (2/2)
![Page 20: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/20.jpg)
26
Anti-forensics: Android
● Network traffic: Orbot + Orweb/Firefox Add-on, VPN● SMS/Messages: TextSecure, ChatSecure,
Telegram(*)● Phone calls: RedPhone, Ostel● Steganography: Pixelknot● Cleaning: CCleaner● ...
(*) Only the network traffic is cyphered
![Page 21: Mobile Forensics - Approfondimenti tecnici e particolarità ...piva.mobi/wp-content/uploads/2015/10/Matteo-Udine... · Informatica forense Mobile Forensics - Approfondimenti tecnici](https://reader030.vdocuments.mx/reader030/viewer/2022040323/5e671df5e9979b0ba7521737/html5/thumbnails/21.jpg)
27