teeltech - advancing mobile device forensics (online version)
TRANSCRIPT
-
Advancing Mobile Device Forensics
Instructor: Mike Felch
-
Introduction
-
Lunch & Learn Introduction
If you rely on tools
Your examinations have probably missed critical data
You may not have been able to examine certain devices
You may have missed data from apps, especially the latest apps
You found some data but exhausted yourself parsing it out
-
Lunch & Learn Content
Using a practical example of an investigation involving uncovering digital artifactsusing new techniques, we will identify data that was unrecoverable or overlookedby traditional forensic tools.
Reverse Engineering Data StructuresAfter a brief overview of Hex Editor Neo and regular expressions; we will manuallyexamine a binary image acquired from a mobile device in our simulatedinvestigation.
Introduction to Programming with PythonWe will cover some high-level Python overviews such as variables, loops, conditions,slicing, and saving files. Just enough to demonstrate the ease and power of Python!
Python Programming for Mobile ForensicsAfter learning some basics in Python, we will write some scripts to extract artifactsfrom mobile devices and then save the output as evidence for our investigation.
-
Learning Goals
At the end of this event, you will have experienced:
Going beyond push-button forensic tools, which is required to stay relevant
There is power in understanding binary data
Python programming is actually easier than it seems
No previous programming background is required
By the end of the day, you will have learned a basic understanding of how toapply reverse engineering and programming techniques for use in day to daymobile device examinations
-
About Mike
Information Security Engineer, Computer Programmer, High-Tech Crime Researcher, and CSIRT Manager in the private sector
14+ years of programming experience & reverse engineering Mostly Linux, Windows, Mobile, and Web
Career: Infosec w/ focus in offensive strategies, surveillance, & cyber-attack
attribution Sr Software Engineer with enterprise experience Systems Engineer w/ defense contractor in the aerospace industry
-
Staying RelevantBridging the gap between mobile forensics and advancing technology
-
The Problem
Technology is leaving mobile device forensics behind, and the reliance on traditional tools is further separating the ability to acquire evidence.
Privacy applications destroying content upon viewing
Unsupported devices & applications
Proprietary encryption & device passwords
Mobile application updates rendering tools useless
the list goes on
-
The Problem: Privacy Applications
Apps are destroying data making it unrecoverable
Developers are removing themselves from the equation
SnapChat Erasing pictures after they are viewed
Cyberdust End-to-End encryption of messages
Kakao Chat Overwriting messages when they are deleted
Whisper Anonymized content
TextSecure End-to-End encryption of text messages
RedPhone End-to-End encryption of phone calls
plus many more...
The more and more apps built around privacy, the less and less data that will be acquired using industry leading tools
-
The Problem: Lack of Support
Unsupported Devices Unsupported Applications
Devices are constantly being released and the numberof models make it impossible for tools to supporteverything.
New apps are being released every day and supportfrom tools can take months. By the time they aresupported, updates sometimes break the support.
Cellebrite Physical Analyzer
World Leader in Mobile Forensics 4:cast Forensic Tool of the Year Since 2012 Known for Fastest Adoption of Phone & Apps Industry Standard
79,168 Devices w/o Physical Extraction Support
424,826 Total Devices
19% of Devices Arent Supported
thats 1 in 5 Devices Require JTAG / Chip-Off!
SnapChat Example
25 Updates Since January 17th, 2014
100 Million to 500 Million Installs
700 Million Photos/Videos Sent Per Day
Forensic Tools Overlook Images!
-
The Solution
You dont need a programming background!
Dont just learn the process, learn the technology
Dont be intimidated, its much simpler then it looks
Break large complex problems into smaller solvable parts
Research new methods, apps, and devices
Embrace the power of programming
-
The Result
You will become a critical asset!
Increased value to your department or agency
Much more confident as a forensic examiner
Programming experience is valuable outside of forensics
Uncover methods that impact the global forensic community
Solve cases that may have otherwise gone unsolved
-
The Requirement
It takes a commitment!
Commit to spending 1 hour a day for 30 days using Python
Dont try to learn the language, learn what you need
Spend time searching and finding messages in binary data
Think about how to tell the computer to parse the data you need
Dont give up! Ask questions and embrace the community
-
15 Minutes of Open Dialogue
What are some new problems facing mobile device forensics?
-
Overview of Technologies
-
Overview of Technologies
We will be looking at just a few technologies
Hex Editor Neo
Regular Expressions
Python v3
Cellebrite Physical Analyzer Scripting Engine
-
Overview of TechnologiesHex Editor Neo
-
Hex Editor Neo
Typical hex editor but with advanced capabilities
Identify data within multi-gigabyte files
Handles lots of data like ASCII, hex, decimal, and binary
Direct access to physical and logical disks, and even memory
Extremely portable, doesnt require full installation
Very fast advanced searching
Multiple selections simultaneous
-
Hex Editor Neo
Simple Layout
-
Hex Editor Neo
Simple Layout: Multiple Selections in 4gb Binary Phone Image
-
Hex Editor Neo
Expert Layout
-
Overview of TechnologiesRegular Expressions
-
Regular Expressions (regex)
What is a regular expressions? A special text string used to find a pattern
When should we use regular expressions? We know what the structure looks like but are unclear of the data
Where can I find help? Help > Contents > Hex Editor Neo Definitive Guide > Regular
Expressions > Regular Expressions Syntax
Lets take a look at an example...
-
Regular Expressions (regex)Sample RegexD i r e c t C h a t \ [ \ d { 9 } \ ] \ [ \ d { 9 } \ ] . * \ d { 1 8 } \ ] . * \ d { 9 }
Sample MessageDirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]
abc Search for exact text[abc] Search for a, b, or c text
\d Search for a digit\d{10} Search for ten digits
\[ Search for the character [
* Match 0 or more repetitions. Match any character except new line
* Backslash escapes the following character
-
Regular Expressions (regex)Sample RegexD i r e c t C h a t \ [ \ d { 9 } \ ] \ [ \ d { 9 } \ ] . * \ d { 1 8 } \ ] . * \ d { 9 }
Sample MessageDirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]
abc Search for exact text[abc] Search for a, b, or c text
\d Search for a digit\d{10} Search for ten digits
\[ Search for the character [
* Match 0 or more repetitions. Match any character except new line
* Backslash escapes the following character
-
Overview of TechnologiesIntroduction to Python
-
Introduction to Python
Comparing Data
Basic Math Operations
Variables
Slicing
Logical Conditions
Loops
Code Structure
Saving Data
-
Python: Comparing Data
Operator Meaning
< Less than
Greater than
>= Greater than or equal to
== Equal (note two equal signs)
!= Not equal
Operator Meaning Example
Or True if either argument is true True or FalseTrue
And True if both arguments are true True and TrueTrue
Not Opposite Not FalseTrue
-
Python: Basic Math Operations
Operator Description Example Result
+ Sum 1+1 2
- Difference 2-1 1
* Product 2*3 6
/ Quotient 5/24/2
2.52.0
x = 3+7
x = 4*9
x = 20/2
x = 44-1
-
Python: Variables
Used to track data within our program Variables are containers for our data
We store and change the values within the variable
We select the names of the variables Names are case sensitive
Cant use certain words: if, for, while, etc.
Assign data with the equals signmyVariable = 1
Assignments can include calculationsmyVariable = 12 + 34
-
Python: Slicing
myString[0:7] Gets first 7 starting at index 0Slicing
myString[:7] Gets first 7 from beginningSlicing
myString[7:] Gets remaining starting at index 7Txt
myString[2:7] Gets 5 starting at index 2 to index 7icing
myString[-5:-3] Gets 2 starting at index -5 to index -3ng
0 1 2 3 4 5 6 7 8 9
S l i c i n g T x T
-
Python: Logic Conditions
if :
if x == 7:
print(The number is 7!)
Control the flow of execution by making conditional statements whichdecide whether indented statements get executed.
condition
statement
-
Python: Loops using for and while
for in :
for x in long string:
print(x)
target
statement
sequence
while :
while True:
print(I will never stop!)
condition
statement
-
Python: Language Structure
string = This is my long string
for character in string:
if character == :
print(I found a space!)
Each code block is indented Statements execute until the code block is un-indented There are no braces or brackets Can be spaces or tabs, but not both Must be consistent
-
Python: Saving Data
Mode Meaning
r Open for reading (default)
w Open for writing but first truncate
a Open for writing, append to end if exists
b Open file in binary mode
There are different modes we can use when handling files. We first needto decide if we are reading an existing file, writing a new file, or addingto an existing file. Also determine if we are working with a binary file orjust ASCII.
* There are more modes available but we arent covering them in this lesson.
-
Python: Saving Data
with open( , ) as newfile:
newfile.write( )
with open(output.log,w) as newfile:
newfile.write(The number is 7!)
Once the code block executes the last indented statement, it will auto-close the file so its not locked.
filename
data
mode
-
Overview of TechnologiesCellebrite Physical Analyzer Scripting Engine
-
Cellebrite Physical Analyzer Scripting Engine
Interactive mode or Run scripts
Quick access to file systems
Easy access to phone artifacts
Very precise data
Save data from examination
Create timelines & hashes
Run scripts or use a shell
plus much more!
Example of Interactive Mode
-
Simulated Investigation
-
Investigation Outline
Witness Clark Kent contacted Teel Tech Police on 01/01/2015 around 2140
Report of disturbance from his neighbors residence, the incident location
Incident location identified as 2681 Anywhere Street Lakeland, FL 33801
Responding officers discover vehicle registered to suspect in garage of victims residence
Responding officers discover vehicle registered to victim in garage of victims residence
Violent screams heard coming from inside incident location by Witness Kent
Welfare check reveals Suspect Lex Luthor inside of incident location
Clothing of suspect reveals significant amount of blood
Victim Lois Lane located inside residence, deceased, with multiple stabbing wounds to upper body
-
Witness Interview
Witness C. Kent reports hearing male and female arguing at incident location
Reports he was unable to understand what was said
Witness describes violent screams originating from female
-
Suspect Interview
Suspect L. Luthor claimed he was visiting his friend, the victim
Claims to have discovered the victim deceased upon his arrival
Alleged a male subject was standing beside victims body with a bloody knife
Suspect claims to have wrestled the knife away from the unknown subject
Unknown subject allegedly fled on foot prior to police arrival
When questioned about specific circumstances, suspect requested legal counsel
-
Crime Scene Evidence
Kitchen butcher Knife Found beside victim with victims blood as confirmed by CrimeScene Lab
Victims Clothing Found on victim with multiple puncture holes to the front of shirt
Suspects Clothing Found on suspect with suspects shirt containing traces of victimsblood as confirmed by Crime Scene Lab
Victims DNA was found on the shirt worn by the suspect
Victims DNA was found on the murder weapon
Suspects DNA was found on the murder weapon
No evidence of forced entry was found at the crime scene
No evidence of a third party being at the crime scene was found
-
Digital Forensic Evidence
Victims Cell Phone Samsung Galaxy S 4G SGH-T959V recovered from victims clothing.
Suspects Cell Phone Samsung S2 SGH-T989 seized from suspects clothing.
Samsung Galaxy S 4G (Victims Phone): Non-deleted Kakao messages were found on victims phone revealing an argument betweenvictim and suspect on the date of the incident. Kakao messages further indicate that victim advised suspect to not come over, duringthe argument.
Samsung Galaxy S2 (Suspects Phone): Kakao messenger app was discovered; however, messages between victim and suspect on date of incident were not recovered.
-
Demonstration: Reverse Engineering
Live Demonstration
Open physical image of suspects phone in Hex Editor Neo
Use victims phone to cross-examine recovered messages
Identify recoverable messages of evidentiary value in the raw data
Document recoverable message structure
-
Now what? Parsing would take forever! 13 Potential Messages
5 Useful Data Points
5 minutes a record to hand copy
2 Mobile Devices to Examine
11 Hours to Copy/Paste
34 Lines of Code
5.4 Seconds to Process 4GB
Re-use it Over and Over
vs.
-
Demonstration: Kakao Messenger Python
Live Demonstration
Open physical image of suspects phone in Python
Read binary data into a variable by chunks
Use regular expressions to search for messages in raw data
Slice out data points and print results
-
New Evidence: Deleted Kakao Messages
FILE DATE USER_ID USER_ID CONVERSATION ID MESSAGES
2015-01-01 04:26:07 163244128 163244128 85416308603768 Hi babe
2015-01-01 04:26:07 163244128 163244128 85416308603768 Do you mind coming over later, I just don't want to be alone.
2015-01-01 04:26:07 163244128 163244128 85466538152343 ya I have some stuff to talk to you about.. I'll be there but don't text me the wife is snooping
2015-01-01 04:26:07 163244128 163244128 85466538152343 I thought you were going to tell her about us???
2015-01-01 04:26:07 163244128 163244128 85466601022443 And what do you mean wife??? I thought you two were through??
2015-01-01 04:26:07 163244128 163244128 85466660556394 I need more time
2015-01-01 04:26:07 163244128 163244128 85466601022443 I need to figure some things out first
2015-01-01 04:26:07 163244128 163244128 85466660556394 You have been saying that for a month now!!!
2015-01-01 04:26:07 163244128 163244128 85466734692395 I can't wait any longer, I need to know you are going to be there for me!
2015-01-01 04:26:07 163244128 163244128 85466734692395 If you don't handle this today then we are done.
2015-01-01 04:26:07 163244128 163244128 85466759832214 I promise you will regret that!
2015-01-01 04:26:07 163244128 163244128 85466827351281 Look I told you to stop texting me! I will deal with you when I get there
2015-01-01 04:26:07 163244128 163244128 85466850568431 Don't even bother coming over
-
Forensic Tool Limitations: Deleted Kakao
What are our tools overlooking?
Cellebrite was able to recover non-deleted Kakao messages
Cellebrite was not able to recover deleted Kakao messages
Examining the data structure revealed deleted Kakao messages
Python used to successfully recover the deleted messages of interest
-
Arrest & Prosecution
-
Evidence Review
Murder weapon butcher knife found with suspects DNA
Suspects clothing found with victims blood and DNA
No evidence of forced entry
No evidence of third person being at scene of crime during time of murder
Non-deleted Kakao messages were found on victims phone revealing an argument between victim and suspect on the date of the incident
Recovered deleted Kakao messages from suspects phone indicating a potential Modus Operandi
-
Enough to pursue an arrest?
Does sufficient Probable Cause exist to pursue filing chargesagainst the suspect for the murder of victim?
-
Enough to pursue an arrest?
Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim?
Is there anyone who would not arrest and file charges against the suspect?
-
Enough to pursue an arrest?
Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim?
Is there anyone who would not arrest and file charges against the suspect?
Does recovering deleted messages aid in providing sufficient evidence for the Prosecution to pursue a conviction?
-
Re-examining the DeviceFrom the perspective of the defense examiner
-
Re-examining the Device
Defense examiner identifies areas with user-data and after-market apps
-
Re-examining the Device: Applications
Defense examiner digs deeper into installed applications and finds SnapChat
-
Re-examining the Device: SnapChat DataDefense examiner notices missing SnapChat images received from ex-husband Matt Lane
-
Re-examining the Device: SnapChat Data
Defense examiner notices SnapChat images were received right before murder
-
Demonstration: SnapChat Image Recovery
Live Demonstration
Write script to be used in Cellebrite Physical Analyzer
Go through each file in each file system for loaded phone image
Examine filename, size, and deleted status of potential matches
Save recovered image to local machine using new name
-
Re-examining the Device: Recovered Images
After stepping through file system, defense learned:
3 SnapChat images were present, intact, and recoverable
Recovered images were not found by bleeding-edge forensic tools
Images were from ex-husband
Images had timestamps showing received just before the murder
Images place ex-husband at the scene during time of murder
-
New Evidence: SnapChat ImagesFilename: h1a81hurcs00h1420147701690.jpg14201477016901/1/2015, 9:28:21 PM GMT
-
New Evidence: SnapChat ImagesFilename: h1a81hurcs00h1420147811659.jpg14201478116591/1/2015, 9:30:11 PM GMT
-
New Evidence: SnapChat ImagesFilename: h1a81hurcs00h1420148205681.jpg14201478116591/1/2015, 9:36:45 PM GMT
-
and just like that, the defense examiner
stops you in your tracks!
-
Risks Facing Examiners
-
Risks Facing Examiners
Overlooking evidence comes with great costs:
Cases being thrown out or lost to defense examiners
Reputation as an examiner tarnished
False arrests & convictions of innocent
Ability to perform job is reliant on available forensic tools
Unprepared for future tech (watches, thermostats, glasses, etc)
-
15 Minute Open Dialogue What parts of advancing forensics is intimidating?
-
Programming forMobile Device Forensics
-
Day 1: Reverse Engineering Data Structures
The first day we will spend getting our environments set-up, have a refresher on binary data, and then dive into reverse engineering
Deep dive into our tools
Learn the tricks of the trade
9 Hands-on exercises
Reconstructing data structures
plus much more!
-
Day 2 & 3: Introduction to Python
The second and third day we will jump right into Python, learning all about the language. These 2 days are critical to the success of the week.
No programming background required
Solid foundation in the language
Hands-on exercises
Tailored specifically for forensics
plus much more!
-
Day 4: Digging Deeper with Python
By the end of the fourth day, students realize they have officially embraced the ability to go beyond the tools and are excited!
Ability to create full Python scripts
Interpreting files previously not understood
Marrying Python with forensics
Provided powerful scripts
plus much more!
-
Day 5: Advanced Mobile Forensics
By now, everyone in the class will be able to write Python for forensic investigations. Day 5 we dig into more advanced Python!
Accessing SQLite databases
Embracing Python for Cellebrite Physical Analyzer
Variable length data
7-bit and reverse 7-bit encoding
plus much more!
-
Next Class
No prior programming experience is required!
CourseIntroduction to Programming for Mobile Forensics
WherePinellas County Sheriffs Office10750 Ulmerton Rd. Largo, FL
WhenJuly 13th - 17th, 2015
Cost$3,200
-
Questions & Answers
Advancing Mobile Device ForensicsIntroductionLunch & Learn IntroductionLunch & Learn ContentLearning GoalsAbout MikeStaying RelevantThe ProblemThe Problem: Privacy ApplicationsThe Problem: Lack of SupportThe SolutionThe ResultThe Requirement15 Minutes of Open DialogueOverview of TechnologiesOverview of TechnologiesOverview of TechnologiesHex Editor NeoHex Editor NeoHex Editor NeoHex Editor NeoOverview of TechnologiesRegular Expressions (regex)Regular Expressions (regex)Regular Expressions (regex)Overview of TechnologiesIntroduction to PythonPython: Comparing DataPython: Basic Math OperationsPython: VariablesPython: SlicingPython: Logic ConditionsPython: Loops using for and whilePython: Language StructurePython: Saving DataPython: Saving DataOverview of TechnologiesCellebrite Physical Analyzer Scripting EngineSimulated InvestigationInvestigation OutlineWitness InterviewSuspect InterviewCrime Scene EvidenceDigital Forensic EvidenceDemonstration: Reverse EngineeringNow what? Parsing would take forever!Demonstration: Kakao Messenger PythonNew Evidence: Deleted Kakao MessagesForensic Tool Limitations: Deleted KakaoArrest & ProsecutionEvidence ReviewEnough to pursue an arrest?Enough to pursue an arrest?Enough to pursue an arrest?Re-examining the DeviceRe-examining the DeviceRe-examining the Device: ApplicationsRe-examining the Device: SnapChat DataRe-examining the Device: SnapChat DataDemonstration: SnapChat Image RecoveryRe-examining the Device: Recovered ImagesNew Evidence: SnapChat ImagesNew Evidence: SnapChat ImagesNew Evidence: SnapChat ImagesSlide Number 65Risks Facing ExaminersRisks Facing Examiners15 Minute Open DialogueProgramming forMobile Device ForensicsDay 1: Reverse Engineering Data StructuresDay 2 & 3: Introduction to PythonDay 4: Digging Deeper with PythonDay 5: Advanced Mobile ForensicsNext ClassQuestions & Answers