© 2014, Basis Technology 1

Open Source Mobile Device Forensics

Heather Mahalik

© 2014, Basis Technology 2

iOS Devices •  Zdziarski Methods •  Boot Rom

Vulnerability Exploits –  Custom Ramdisk via

SSH –  The iPhone Data

Protection Tools •  iTunes

Android Devices •  viaLogical •  ADB Backup •  OSAF Toolkit •  Santoku •  DD

–  Not supported for all devices

•  JTAG/Chip-off

Device  Acquisi+on  

© 2014, Basis Technology 3

•  How old is the device?

•  Is the device locked? •  Is the device

damaged? •  Are you Law

Enforcement?

Considera+ons  

© 2014, Basis Technology 4

•  LiME (Linux Memory Extractor) –  First tool to support full

memory captures of Android smartphones!

–  TCP dump or saved to SD card

–  Uses ADB

Android  Memory  Capture  

© 2014, Basis Technology 5

iOS Devices •  iPhone Backup Analyzer •  iExplorer •  iBackupBot •  Scalpel •  SQLite Browser •  Plist Editor •  WhatsApp Extract

–  Contacts.sqlite and ChatStorage.sqlite

•  Manual examination •  Customized scripts

Android Devices •  Autopsy

–  Android Module •  WhatsApp Extract

–  wa.db and msgstore.db •  Scalpel •  SQLite Browser •  Hex Editor •  Anything capable of mounting

EXT •  FTK Imager •  Customized scripts •  Manual examination

Analy+cal  Tools…to  Name  a  Few  

© 2014, Basis Technology 6

•  Commercial tools are expensive – They still miss data – They don’t parse third party applications

completely – They omit relevant databases when extracting

data – They don’t support all devices

•  Open Source tools – See above!

Reality Check!

© 2014, Basis Technology 7

/private/var/mobile/library/Spotlight/com.apple.mobilesms/ –  smssearchindex.sqlite

•  Provides SMS message data –  Active and deleted messages –  Should be compared to sms.db –  May show traces of attachments (metadata)

*Not commonly parsed by any tool!

Example – iOS Examination

© 2014, Basis Technology 8

•  GUI built on The Sleuth Kit •  Next version (v3.1.1) will include Android

module •  Customizable •  Complete analytical platform •  Android dumps can be loaded as normal disk

images or file folders

Autopsy

© 2014, Basis Technology 9

Android  Examina+on  

© 2014, Basis Technology 10

•  Parsed from Contacts2.db file – Raw_contacts and ABPerson

Examining Contacts

© 2014, Basis Technology 11

Examining the Raw Contacts (1)

© 2014, Basis Technology 12

Examining the Raw Contacts (2)

© 2014, Basis Technology 13

•  Parses messages and chats from SMS, MMS and some third party applications

Parsing Messages and Chats

© 2014, Basis Technology 14

•  Encryption vs. Encoding •  Base64 decoder built into Autopsy Android

module

Encoding Built into Autopsy

© 2014, Basis Technology 15

•  Google Maps, Browser, Cache and EXIF location parsing

Geolocation Support

© 2014, Basis Technology 16

Geoloca+on  Repor+ng  

© 2014, Basis Technology 17

•  EXIF Parser

•  Graphics and Videos

Examining Multimedia Files

© 2014, Basis Technology 18

•  Active files shown in viewer

•  Deleted must be examined/recovered in Hex

Recovering Deleted SQLite Data

© 2014, Basis Technology 19

•  Mari DeGrazia’s SQLite Parser

Custom Scripts

© 2014, Basis Technology 20

•  http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf

•  www.az4n6.blogspot.com •  https://viaforensics.com/blog/ •  http://www.sleuthkit.org/ •  Practical Mobile Forensics –Bommisetty,

Mahalik, Tamma •  www.smarterforensics.com •  https://code.google.com/p/lime-forensics/

References, Sources and Suggested Reading

© 2014, Basis Technology 21

Heather Mahalik Basis Technology

www.basistech.com hmahalik@basistech.com Twitter: @heathermahalik

Questions