r… r… - smarter forensics · database view android metadata (1) history sqlite sequence (1) su...

Bueller…Bueller…SmartphoneForensics

MovesPrettyFast.Ifyoudon’tStayCurrent,You’ll

MissEvidence

HankMahalik

[email protected]

Twitter:@HeatherMahalik

http://smarterforensics.com

3

Aboutme…

•  EmployeeofOcean’sEdge,Inc.

•  SANSSeniorInstructor

•  InvolvedwithForensics/infosecfor13years

•  Co-authorFOR585andFOR518

•  Co-AuthorofPracticalMobileForensics

•  Availableonsocialmedia

Copyright@2015HeatherMahalik,AllRightsReserved

HowhaveOSupgradeschangedthegameofSmartphoneForensics?


Whatdoesthismean?

•  YouneedtofullyunderstandtheOSonthedevice

•  Thestateofeverymobiledevicemayvary

•  Youwillneedmorethanonetool

•  Youwillneedtheskillstomanuallycarveforforensic

artifacts

•  Reality–Yourtoolmaymissrelevantdata!


Upgrades

•  OperatingSystem

– AndroidL&M

–  iOS9

•  Applications

– All3rdPartyApplicationsonbothdevices


Lollipop,Lollipop…•  Multipleuseraccounts

•  Factoryresetprotection–  Musthavepassword

•  Fulldiskencryption–  Userispromptedatfirststartup

•  SmartLock

–  DeviceautomaticallyunlockswhennearspecificBluetooth,

WiFiorNFCtags


Marshmallow!!!!!


Updatedfingerprintscan

VisualVoicemail

•  T-MobileandOrangeFrance

Rotatinghomescreen

RAMManager

NetworkSettingReset

OhEvidence,WhereareYou?

•  Thelocationoftheevidencehasn’treally

changed(yet)

•  Gettingtotheevidencemaybeharder

•  Acquisitionmaybemoredifficultandmore

expensive!


UnderstandingtheEvidence(1)

•  Maps-com.google.android.apps.maps

•  Database:da_destination_history


UnderstandingtheEvidence(2)

•  Maps-com.google.android.apps.maps

•  Database:search_history.db


UnderstandingtheEvidence(3)•  Socialmediageo-tagging

–  Facebook

–  Google+

–  Twitter

–  Etc.

•  Considerwhattracesare

leftbehindwhentheuser

“checks-in”andtagsa

location


iOS9

•  Addedfunctionality

•  “Remembers”thingsforyou

•  Let’syou“undelete”pictures/videos

•  Changedseveraldatalocations…


YourPastMayHauntYou!•  iOS8&9“Recall”

Feature

–  Scarythatyouthought

itwasgone…

–  Butguesswhat?


ManualExam:SMSAttachments

CantheTooldoThat?


OhEvidence,WhereareYou?

•  CallLogs

–  Library/CallHistory/call_history.db

–  Library/CallHistory/callhistory.storedata(iOS8&9)

•  GoogleMaps

–  Library/Maps/History.mapsdata

–  Library/Maps/GeoHistory.mapsdata(iOS8&9)


What’sGoingonHere…


3rdPartyApplicationUpgrades

•  EncodingandEncryptionchanges

•  Changesthefilenamecontainingthedata

•  Createsanewfilefordatastorage

•  Makesaccessingthedatamoredifficult

– Sometimes…


Example:Cyberdust(1)•  Claimstoremovealluserdataupontransmission/

receipt

– Nevertrustclaimsoryourtool

– ManuallyreviewAppfilesforuseractivity


Example:Cyberdust(2)

•  MessagesareencodedtwiceusingBase64


Essentialskilldevelopment•  LearnhowdataisstoredonAndroidandiOSdevices

•  LearnhowtoidentifytracesofOSupgrades

•  Learndecodingandmanualcarvingtechniques

•  Findwaystooutsmartyourtools

•  TakeFOR585tomakesureyoubuildthenecessary

skillstoeffectivelyexaminethenextsmartphoneyou

see(andyouwillseeone…)


•  FOR585 Advanced Smartphone Forensics

•  Practical Mobile Forensics

•  http://smarterforensics.com

•  https://andriller.com/

•  http://az4n6.blogspot.com/p/downloads.html

•  http://cheeky4n6monkey.blogspot.com/

References, Sources and Suggested Reading

FOR585AdvancedSmartphoneForensicsCourseAvailableAt:

Chantilly,VAw/HeatherMahalik–Dec10timesin2016!

OnDemand–Anytimeyouwant!

*FOR408–vLive–LearninyourPJswithabeer!

UpcomingCourses

Questions?

HeatherMahalik

[email protected]

Twitter:@HeatherMahalik

www.smarterforensics.com

[email protected]


r… r… - smarter forensics · database view android metadata (1) history sqlite sequence (1) su...

Documents