teeltech - advancing mobile device forensics (online version)

75
Advancing Mobile Device Forensics Instructor: Mike Felch

Upload: michael-felch

Post on 19-Feb-2017

136 views

Category:

Documents


5 download

TRANSCRIPT

  • Advancing Mobile Device Forensics

    Instructor: Mike Felch

  • Introduction

  • Lunch & Learn Introduction

    If you rely on tools

    Your examinations have probably missed critical data

    You may not have been able to examine certain devices

    You may have missed data from apps, especially the latest apps

    You found some data but exhausted yourself parsing it out

  • Lunch & Learn Content

    Using a practical example of an investigation involving uncovering digital artifactsusing new techniques, we will identify data that was unrecoverable or overlookedby traditional forensic tools.

    Reverse Engineering Data StructuresAfter a brief overview of Hex Editor Neo and regular expressions; we will manuallyexamine a binary image acquired from a mobile device in our simulatedinvestigation.

    Introduction to Programming with PythonWe will cover some high-level Python overviews such as variables, loops, conditions,slicing, and saving files. Just enough to demonstrate the ease and power of Python!

    Python Programming for Mobile ForensicsAfter learning some basics in Python, we will write some scripts to extract artifactsfrom mobile devices and then save the output as evidence for our investigation.

  • Learning Goals

    At the end of this event, you will have experienced:

    Going beyond push-button forensic tools, which is required to stay relevant

    There is power in understanding binary data

    Python programming is actually easier than it seems

    No previous programming background is required

    By the end of the day, you will have learned a basic understanding of how toapply reverse engineering and programming techniques for use in day to daymobile device examinations

  • About Mike

    Information Security Engineer, Computer Programmer, High-Tech Crime Researcher, and CSIRT Manager in the private sector

    14+ years of programming experience & reverse engineering Mostly Linux, Windows, Mobile, and Web

    Career: Infosec w/ focus in offensive strategies, surveillance, & cyber-attack

    attribution Sr Software Engineer with enterprise experience Systems Engineer w/ defense contractor in the aerospace industry

  • Staying RelevantBridging the gap between mobile forensics and advancing technology

  • The Problem

    Technology is leaving mobile device forensics behind, and the reliance on traditional tools is further separating the ability to acquire evidence.

    Privacy applications destroying content upon viewing

    Unsupported devices & applications

    Proprietary encryption & device passwords

    Mobile application updates rendering tools useless

    the list goes on

  • The Problem: Privacy Applications

    Apps are destroying data making it unrecoverable

    Developers are removing themselves from the equation

    SnapChat Erasing pictures after they are viewed

    Cyberdust End-to-End encryption of messages

    Kakao Chat Overwriting messages when they are deleted

    Whisper Anonymized content

    TextSecure End-to-End encryption of text messages

    RedPhone End-to-End encryption of phone calls

    plus many more...

    The more and more apps built around privacy, the less and less data that will be acquired using industry leading tools

  • The Problem: Lack of Support

    Unsupported Devices Unsupported Applications

    Devices are constantly being released and the numberof models make it impossible for tools to supporteverything.

    New apps are being released every day and supportfrom tools can take months. By the time they aresupported, updates sometimes break the support.

    Cellebrite Physical Analyzer

    World Leader in Mobile Forensics 4:cast Forensic Tool of the Year Since 2012 Known for Fastest Adoption of Phone & Apps Industry Standard

    79,168 Devices w/o Physical Extraction Support

    424,826 Total Devices

    19% of Devices Arent Supported

    thats 1 in 5 Devices Require JTAG / Chip-Off!

    SnapChat Example

    25 Updates Since January 17th, 2014

    100 Million to 500 Million Installs

    700 Million Photos/Videos Sent Per Day

    Forensic Tools Overlook Images!

  • The Solution

    You dont need a programming background!

    Dont just learn the process, learn the technology

    Dont be intimidated, its much simpler then it looks

    Break large complex problems into smaller solvable parts

    Research new methods, apps, and devices

    Embrace the power of programming

  • The Result

    You will become a critical asset!

    Increased value to your department or agency

    Much more confident as a forensic examiner

    Programming experience is valuable outside of forensics

    Uncover methods that impact the global forensic community

    Solve cases that may have otherwise gone unsolved

  • The Requirement

    It takes a commitment!

    Commit to spending 1 hour a day for 30 days using Python

    Dont try to learn the language, learn what you need

    Spend time searching and finding messages in binary data

    Think about how to tell the computer to parse the data you need

    Dont give up! Ask questions and embrace the community

  • 15 Minutes of Open Dialogue

    What are some new problems facing mobile device forensics?

  • Overview of Technologies

  • Overview of Technologies

    We will be looking at just a few technologies

    Hex Editor Neo

    Regular Expressions

    Python v3

    Cellebrite Physical Analyzer Scripting Engine

  • Overview of TechnologiesHex Editor Neo

  • Hex Editor Neo

    Typical hex editor but with advanced capabilities

    Identify data within multi-gigabyte files

    Handles lots of data like ASCII, hex, decimal, and binary

    Direct access to physical and logical disks, and even memory

    Extremely portable, doesnt require full installation

    Very fast advanced searching

    Multiple selections simultaneous

  • Hex Editor Neo

    Simple Layout

  • Hex Editor Neo

    Simple Layout: Multiple Selections in 4gb Binary Phone Image

  • Hex Editor Neo

    Expert Layout

  • Overview of TechnologiesRegular Expressions

  • Regular Expressions (regex)

    What is a regular expressions? A special text string used to find a pattern

    When should we use regular expressions? We know what the structure looks like but are unclear of the data

    Where can I find help? Help > Contents > Hex Editor Neo Definitive Guide > Regular

    Expressions > Regular Expressions Syntax

    Lets take a look at an example...

  • Regular Expressions (regex)Sample RegexD i r e c t C h a t \ [ \ d { 9 } \ ] \ [ \ d { 9 } \ ] . * \ d { 1 8 } \ ] . * \ d { 9 }

    Sample MessageDirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]

    abc Search for exact text[abc] Search for a, b, or c text

    \d Search for a digit\d{10} Search for ten digits

    \[ Search for the character [

    * Match 0 or more repetitions. Match any character except new line

    * Backslash escapes the following character

  • Regular Expressions (regex)Sample RegexD i r e c t C h a t \ [ \ d { 9 } \ ] \ [ \ d { 9 } \ ] . * \ d { 1 8 } \ ] . * \ d { 9 }

    Sample MessageDirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]

    abc Search for exact text[abc] Search for a, b, or c text

    \d Search for a digit\d{10} Search for ten digits

    \[ Search for the character [

    * Match 0 or more repetitions. Match any character except new line

    * Backslash escapes the following character

  • Overview of TechnologiesIntroduction to Python

  • Introduction to Python

    Comparing Data

    Basic Math Operations

    Variables

    Slicing

    Logical Conditions

    Loops

    Code Structure

    Saving Data

  • Python: Comparing Data

    Operator Meaning

    < Less than

    Greater than

    >= Greater than or equal to

    == Equal (note two equal signs)

    != Not equal

    Operator Meaning Example

    Or True if either argument is true True or FalseTrue

    And True if both arguments are true True and TrueTrue

    Not Opposite Not FalseTrue

  • Python: Basic Math Operations

    Operator Description Example Result

    + Sum 1+1 2

    - Difference 2-1 1

    * Product 2*3 6

    / Quotient 5/24/2

    2.52.0

    x = 3+7

    x = 4*9

    x = 20/2

    x = 44-1

  • Python: Variables

    Used to track data within our program Variables are containers for our data

    We store and change the values within the variable

    We select the names of the variables Names are case sensitive

    Cant use certain words: if, for, while, etc.

    Assign data with the equals signmyVariable = 1

    Assignments can include calculationsmyVariable = 12 + 34

  • Python: Slicing

    myString[0:7] Gets first 7 starting at index 0Slicing

    myString[:7] Gets first 7 from beginningSlicing

    myString[7:] Gets remaining starting at index 7Txt

    myString[2:7] Gets 5 starting at index 2 to index 7icing

    myString[-5:-3] Gets 2 starting at index -5 to index -3ng

    0 1 2 3 4 5 6 7 8 9

    S l i c i n g T x T

  • Python: Logic Conditions

    if :

    if x == 7:

    print(The number is 7!)

    Control the flow of execution by making conditional statements whichdecide whether indented statements get executed.

    condition

    statement

  • Python: Loops using for and while

    for in :

    for x in long string:

    print(x)

    target

    statement

    sequence

    while :

    while True:

    print(I will never stop!)

    condition

    statement

  • Python: Language Structure

    string = This is my long string

    for character in string:

    if character == :

    print(I found a space!)

    Each code block is indented Statements execute until the code block is un-indented There are no braces or brackets Can be spaces or tabs, but not both Must be consistent

  • Python: Saving Data

    Mode Meaning

    r Open for reading (default)

    w Open for writing but first truncate

    a Open for writing, append to end if exists

    b Open file in binary mode

    There are different modes we can use when handling files. We first needto decide if we are reading an existing file, writing a new file, or addingto an existing file. Also determine if we are working with a binary file orjust ASCII.

    * There are more modes available but we arent covering them in this lesson.

  • Python: Saving Data

    with open( , ) as newfile:

    newfile.write( )

    with open(output.log,w) as newfile:

    newfile.write(The number is 7!)

    Once the code block executes the last indented statement, it will auto-close the file so its not locked.

    filename

    data

    mode

  • Overview of TechnologiesCellebrite Physical Analyzer Scripting Engine

  • Cellebrite Physical Analyzer Scripting Engine

    Interactive mode or Run scripts

    Quick access to file systems

    Easy access to phone artifacts

    Very precise data

    Save data from examination

    Create timelines & hashes

    Run scripts or use a shell

    plus much more!

    Example of Interactive Mode

  • Simulated Investigation

  • Investigation Outline

    Witness Clark Kent contacted Teel Tech Police on 01/01/2015 around 2140

    Report of disturbance from his neighbors residence, the incident location

    Incident location identified as 2681 Anywhere Street Lakeland, FL 33801

    Responding officers discover vehicle registered to suspect in garage of victims residence

    Responding officers discover vehicle registered to victim in garage of victims residence

    Violent screams heard coming from inside incident location by Witness Kent

    Welfare check reveals Suspect Lex Luthor inside of incident location

    Clothing of suspect reveals significant amount of blood

    Victim Lois Lane located inside residence, deceased, with multiple stabbing wounds to upper body

  • Witness Interview

    Witness C. Kent reports hearing male and female arguing at incident location

    Reports he was unable to understand what was said

    Witness describes violent screams originating from female

  • Suspect Interview

    Suspect L. Luthor claimed he was visiting his friend, the victim

    Claims to have discovered the victim deceased upon his arrival

    Alleged a male subject was standing beside victims body with a bloody knife

    Suspect claims to have wrestled the knife away from the unknown subject

    Unknown subject allegedly fled on foot prior to police arrival

    When questioned about specific circumstances, suspect requested legal counsel

  • Crime Scene Evidence

    Kitchen butcher Knife Found beside victim with victims blood as confirmed by CrimeScene Lab

    Victims Clothing Found on victim with multiple puncture holes to the front of shirt

    Suspects Clothing Found on suspect with suspects shirt containing traces of victimsblood as confirmed by Crime Scene Lab

    Victims DNA was found on the shirt worn by the suspect

    Victims DNA was found on the murder weapon

    Suspects DNA was found on the murder weapon

    No evidence of forced entry was found at the crime scene

    No evidence of a third party being at the crime scene was found

  • Digital Forensic Evidence

    Victims Cell Phone Samsung Galaxy S 4G SGH-T959V recovered from victims clothing.

    Suspects Cell Phone Samsung S2 SGH-T989 seized from suspects clothing.

    Samsung Galaxy S 4G (Victims Phone): Non-deleted Kakao messages were found on victims phone revealing an argument betweenvictim and suspect on the date of the incident. Kakao messages further indicate that victim advised suspect to not come over, duringthe argument.

    Samsung Galaxy S2 (Suspects Phone): Kakao messenger app was discovered; however, messages between victim and suspect on date of incident were not recovered.

  • Demonstration: Reverse Engineering

    Live Demonstration

    Open physical image of suspects phone in Hex Editor Neo

    Use victims phone to cross-examine recovered messages

    Identify recoverable messages of evidentiary value in the raw data

    Document recoverable message structure

  • Now what? Parsing would take forever! 13 Potential Messages

    5 Useful Data Points

    5 minutes a record to hand copy

    2 Mobile Devices to Examine

    11 Hours to Copy/Paste

    34 Lines of Code

    5.4 Seconds to Process 4GB

    Re-use it Over and Over

    vs.

  • Demonstration: Kakao Messenger Python

    Live Demonstration

    Open physical image of suspects phone in Python

    Read binary data into a variable by chunks

    Use regular expressions to search for messages in raw data

    Slice out data points and print results

  • New Evidence: Deleted Kakao Messages

    FILE DATE USER_ID USER_ID CONVERSATION ID MESSAGES

    2015-01-01 04:26:07 163244128 163244128 85416308603768 Hi babe

    2015-01-01 04:26:07 163244128 163244128 85416308603768 Do you mind coming over later, I just don't want to be alone.

    2015-01-01 04:26:07 163244128 163244128 85466538152343 ya I have some stuff to talk to you about.. I'll be there but don't text me the wife is snooping

    2015-01-01 04:26:07 163244128 163244128 85466538152343 I thought you were going to tell her about us???

    2015-01-01 04:26:07 163244128 163244128 85466601022443 And what do you mean wife??? I thought you two were through??

    2015-01-01 04:26:07 163244128 163244128 85466660556394 I need more time

    2015-01-01 04:26:07 163244128 163244128 85466601022443 I need to figure some things out first

    2015-01-01 04:26:07 163244128 163244128 85466660556394 You have been saying that for a month now!!!

    2015-01-01 04:26:07 163244128 163244128 85466734692395 I can't wait any longer, I need to know you are going to be there for me!

    2015-01-01 04:26:07 163244128 163244128 85466734692395 If you don't handle this today then we are done.

    2015-01-01 04:26:07 163244128 163244128 85466759832214 I promise you will regret that!

    2015-01-01 04:26:07 163244128 163244128 85466827351281 Look I told you to stop texting me! I will deal with you when I get there

    2015-01-01 04:26:07 163244128 163244128 85466850568431 Don't even bother coming over

  • Forensic Tool Limitations: Deleted Kakao

    What are our tools overlooking?

    Cellebrite was able to recover non-deleted Kakao messages

    Cellebrite was not able to recover deleted Kakao messages

    Examining the data structure revealed deleted Kakao messages

    Python used to successfully recover the deleted messages of interest

  • Arrest & Prosecution

  • Evidence Review

    Murder weapon butcher knife found with suspects DNA

    Suspects clothing found with victims blood and DNA

    No evidence of forced entry

    No evidence of third person being at scene of crime during time of murder

    Non-deleted Kakao messages were found on victims phone revealing an argument between victim and suspect on the date of the incident

    Recovered deleted Kakao messages from suspects phone indicating a potential Modus Operandi

  • Enough to pursue an arrest?

    Does sufficient Probable Cause exist to pursue filing chargesagainst the suspect for the murder of victim?

  • Enough to pursue an arrest?

    Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim?

    Is there anyone who would not arrest and file charges against the suspect?

  • Enough to pursue an arrest?

    Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim?

    Is there anyone who would not arrest and file charges against the suspect?

    Does recovering deleted messages aid in providing sufficient evidence for the Prosecution to pursue a conviction?

  • Re-examining the DeviceFrom the perspective of the defense examiner

  • Re-examining the Device

    Defense examiner identifies areas with user-data and after-market apps

  • Re-examining the Device: Applications

    Defense examiner digs deeper into installed applications and finds SnapChat

  • Re-examining the Device: SnapChat DataDefense examiner notices missing SnapChat images received from ex-husband Matt Lane

  • Re-examining the Device: SnapChat Data

    Defense examiner notices SnapChat images were received right before murder

  • Demonstration: SnapChat Image Recovery

    Live Demonstration

    Write script to be used in Cellebrite Physical Analyzer

    Go through each file in each file system for loaded phone image

    Examine filename, size, and deleted status of potential matches

    Save recovered image to local machine using new name

  • Re-examining the Device: Recovered Images

    After stepping through file system, defense learned:

    3 SnapChat images were present, intact, and recoverable

    Recovered images were not found by bleeding-edge forensic tools

    Images were from ex-husband

    Images had timestamps showing received just before the murder

    Images place ex-husband at the scene during time of murder

  • New Evidence: SnapChat ImagesFilename: h1a81hurcs00h1420147701690.jpg14201477016901/1/2015, 9:28:21 PM GMT

  • New Evidence: SnapChat ImagesFilename: h1a81hurcs00h1420147811659.jpg14201478116591/1/2015, 9:30:11 PM GMT

  • New Evidence: SnapChat ImagesFilename: h1a81hurcs00h1420148205681.jpg14201478116591/1/2015, 9:36:45 PM GMT

  • and just like that, the defense examiner

    stops you in your tracks!

  • Risks Facing Examiners

  • Risks Facing Examiners

    Overlooking evidence comes with great costs:

    Cases being thrown out or lost to defense examiners

    Reputation as an examiner tarnished

    False arrests & convictions of innocent

    Ability to perform job is reliant on available forensic tools

    Unprepared for future tech (watches, thermostats, glasses, etc)

  • 15 Minute Open Dialogue What parts of advancing forensics is intimidating?

  • Programming forMobile Device Forensics

  • Day 1: Reverse Engineering Data Structures

    The first day we will spend getting our environments set-up, have a refresher on binary data, and then dive into reverse engineering

    Deep dive into our tools

    Learn the tricks of the trade

    9 Hands-on exercises

    Reconstructing data structures

    plus much more!

  • Day 2 & 3: Introduction to Python

    The second and third day we will jump right into Python, learning all about the language. These 2 days are critical to the success of the week.

    No programming background required

    Solid foundation in the language

    Hands-on exercises

    Tailored specifically for forensics

    plus much more!

  • Day 4: Digging Deeper with Python

    By the end of the fourth day, students realize they have officially embraced the ability to go beyond the tools and are excited!

    Ability to create full Python scripts

    Interpreting files previously not understood

    Marrying Python with forensics

    Provided powerful scripts

    plus much more!

  • Day 5: Advanced Mobile Forensics

    By now, everyone in the class will be able to write Python for forensic investigations. Day 5 we dig into more advanced Python!

    Accessing SQLite databases

    Embracing Python for Cellebrite Physical Analyzer

    Variable length data

    7-bit and reverse 7-bit encoding

    plus much more!

  • Next Class

    No prior programming experience is required!

    CourseIntroduction to Programming for Mobile Forensics

    WherePinellas County Sheriffs Office10750 Ulmerton Rd. Largo, FL

    WhenJuly 13th - 17th, 2015

    Cost$3,200

  • Questions & Answers

    Advancing Mobile Device ForensicsIntroductionLunch & Learn IntroductionLunch & Learn ContentLearning GoalsAbout MikeStaying RelevantThe ProblemThe Problem: Privacy ApplicationsThe Problem: Lack of SupportThe SolutionThe ResultThe Requirement15 Minutes of Open DialogueOverview of TechnologiesOverview of TechnologiesOverview of TechnologiesHex Editor NeoHex Editor NeoHex Editor NeoHex Editor NeoOverview of TechnologiesRegular Expressions (regex)Regular Expressions (regex)Regular Expressions (regex)Overview of TechnologiesIntroduction to PythonPython: Comparing DataPython: Basic Math OperationsPython: VariablesPython: SlicingPython: Logic ConditionsPython: Loops using for and whilePython: Language StructurePython: Saving DataPython: Saving DataOverview of TechnologiesCellebrite Physical Analyzer Scripting EngineSimulated InvestigationInvestigation OutlineWitness InterviewSuspect InterviewCrime Scene EvidenceDigital Forensic EvidenceDemonstration: Reverse EngineeringNow what? Parsing would take forever!Demonstration: Kakao Messenger PythonNew Evidence: Deleted Kakao MessagesForensic Tool Limitations: Deleted KakaoArrest & ProsecutionEvidence ReviewEnough to pursue an arrest?Enough to pursue an arrest?Enough to pursue an arrest?Re-examining the DeviceRe-examining the DeviceRe-examining the Device: ApplicationsRe-examining the Device: SnapChat DataRe-examining the Device: SnapChat DataDemonstration: SnapChat Image RecoveryRe-examining the Device: Recovered ImagesNew Evidence: SnapChat ImagesNew Evidence: SnapChat ImagesNew Evidence: SnapChat ImagesSlide Number 65Risks Facing ExaminersRisks Facing Examiners15 Minute Open DialogueProgramming forMobile Device ForensicsDay 1: Reverse Engineering Data StructuresDay 2 & 3: Introduction to PythonDay 4: Digging Deeper with PythonDay 5: Advanced Mobile ForensicsNext ClassQuestions & Answers