uncovering the covered tracks: finding what’s left behind the covered tracks: finding what’s...
TRANSCRIPT
Uncovering the Covered Tracks:
Finding What’s Left Behind
JAD SALIBA – FOUNDER & CTO
Background
• Teenage geek - IT/Software industry
• Police officer for 7 years
• Worked in Tech Crime Unit
• Started JADsoftware (now Magnet Forensics) as a part-time side project – now a team of developers
Overview
• Recovering artifacts from multiple devices:
• PCs:
• Skype
• Google Maps
• Mobile:
• Kik Messenger
• Snapchat
• Chromebooks:
• Getting to unencrypted data
• Using timelines to find out what happened
• Tools that can help
PC Artifacts
Skype
• Voice over IP service (with video and text chat options)
• Started in 2003
• Over 633 million registered users
• 65 million people sign in to Skype every day
• 700 million minutes spent in Skype-to-Skype calls every day
• Microsoft has retired Windows Live Messenger in favor of its
Skype service, although Messenger will continue in mainland
China. Microsoft began the transition for all users on April 8,
2013.
Skype
Skype
Skype – “chatsync”
IP Addresses
Skype
• main.db file – SQLite database
• Contains majority of interesting data
• Account info, Calls, Contacts, Messages,
SMS messages, Video session info,
Voicemail info
Skype
Skype
(“POSTED_TEXT”)
Skype
(“Sent”)
Skype
Sender username / display name
Skype
Date/time (Unix time, in UTC)
Skype
• Voicemails require a premium account
• Only get saved to this folder after being played
• Filename can be found in the Voicemails table in the main.db
file - filename contains the date/time
• Audio is in a proprietary Skype format
• BUT – there is a way!
• Leading social networking site
• Started in 2004
• Over 950 million Facebook users worldwide (Source: Facebook)
• 500 million people log onto Facebook daily (Source: The Social Skinny 2012)
• There are 83 million fake profiles. (Source: CNN)
• Photo uploads total 300 million per day (Source: Gizmodo)
Facebook Chat
• Not like the good o’l days
• Still left behind, but mainly in live RAM, pagefile,
hibernation file
• Multiple formats
• Live chat and messages essentially the same
Facebook Chat
{\"msg\":{\"text\":\"lol i love
facebook, it's so awesome.
chatting is
fun!!\"},\"from\":1000000555,\"
to\":1100000066,\"time\":1257
370809956,\"type\":\"msg\"}
More chat:
{"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me
ssages\/read\/?tid=mid.1368112514305\u00253Ad61a480cfa3
a140d91","author_fbid":100004396603890,"author_name":
"Wendy Manford","thread_name":“Bourne","snippet":"Hey
have you seen the new...","message":"Hey have you seen the
new Bourne movie?","time":"Just now","image":{"__html":
"\u003Cimg src=\"https:\/\/fbcdn-profile-
a.akamaihd.net\/hprofile-ak-
ash1\/t5\/s43x43\/211578_100004396603890_405447609_q.j
pg\" alt=\“Wendy Manford\" class=\"img profpic\" height=\"43\"
width=\"43\" \/>
Wall post:
fbid":"646173788763494","legacyid":"646173788763
494","body":{"text":"can see y dem would a call afta
u......","ranges":[],"aggregatedranges":[],"hasTranslat
ableContent":true},"author":"100001790397816","ften
tidentifier":"646151518765721","likecount":0,"hasvie
werliked":false,"canremove":false,"canreport":true,"ca
nedit":false,"source":1,"istranslatable":false,"timesta
mp":{"time":1396761880,"text":"April 6 at 2:24am"
Facebook – Decoding photo URLs
Recovered photo view URL:
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Facebook – Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Facebook Photo ID is "201526933901245715"
Facebook – Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Facebook Album ID is "10150672801465915"
Facebook – Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Photo belongs to user ID "1221785571"
Facebook – Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Now what?
Facebook – Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
We can use the Facebook Graph API to learn more
about this user.
Facebook – Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
We’ll take the user ID above (bolded) and put it in to
the below URL (no need to login to Facebook):
http://graph.facebook.com/1221785571
Facebook – Decoding photo URLs
Another photo URL:
{"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me
ssages\/read\/?tid=mid.1368112514305\u00253Ad61a480cfa3
a140d91","author_fbid":100004396603890,"author_name":
"Wendy Manford","thread_name":“Bourne","snippet":"Hey
have you seen the new...","message":"Hey have you seen the
new Bourne movie?","time":"Just now","image":{"__html":
"\u003Cimg src=\"https:\/\/fbcdn-profile-
a.akamaihd.net\/hprofile-ak-
ash1\/t5\/s43x43\/211578_100004396603890_405447609_q.
jpg\" alt=\“Wendy Manford\" class=\"img profpic\" height=\"43\"
width=\"43\" \/>
Quick Facebook URL Demo
Google Maps
• Started in 2004
• Over 1,162,460 sites use Google Maps
• Overtook MapQuest in terms of traffic in 2009
• Google Maps Navigation, included on Android handsets, has guided users 12 billion miles a year
• 200 million users on Google Maps for Mobile
• Cases involving runaway youths, kidnapping, luring, homicide
• Jo Yates homicide - Avon and Somerset Constabulary, Scott Eggins
Google Maps
• Temporary Internet Files
• RAM captures
• pagefile.sys / hiberfil.sys
Google Maps
• Uses a tile system to display maps
• Each tile is 256x256 pixels
• Filename in Temporary Internet Files contains x, y, and z coordinates
• Coordinates are based on a world map
• x, y requires the z value (zoom)
Examples:
• lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galileo[1].png
• &x=9054&y=11982&z=15.png
Google Maps
Google Maps
Tiles can be downloaded:
http://mt.google.com/vt/&x=XXX&y=XXX&z=XXX
Google Maps
Tile coordinates can be converted to Longitude, Latitude:
function tile2long(x,z) {
return (x/Math.pow(2,z)*360-180);
}
function tile2lat(y,z) {
var n=Math.PI-2*Math.PI*y/Math.pow(2,z);
return (180/Math.PI*Math.atan(0.5*(Math.exp(n)-
Math.exp(-n))));
}
Google Maps
http://www.darrinward.com/lat-long/
New Google Maps
• Newer version of Google Maps launched in March 2014
• Tile filenames and URLs are different now (thanks Google!)
• It’s not pretty:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m
8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!2
0m1!1b1[1].png
New Google Maps
• The new URLs:
https://www.google.com/maps/@43.7242262,-79.4051719,12z
https://www.google.com/maps/place/Cambridge,+ON/@43.4022995,-80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x5037b28c7231d70
https://www.google.com/maps/dir/Ayr,+ON,+Canada/123+Gunn+Ave,+Cambridge,+ON+N3C+2Z6,+Canada/@43.3588082,-80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d9485d199:0x581a671dca1a1705!2m2!1d-80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd46477f986!2m2!1d-80.2990956!2d43.4253036
New Google Maps
• The new tiles:
• Sample filename:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8!
2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m
1!1b1[1].png
• Another sample, slightly different:
• pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105
!12m1!1e47!4e0[1].png
Quick Google Maps Demo
Mobile Artifacts
• Focusing on chat and geolocation data stored
• On Android, files are located in the following folder on the
‘data’ partition: com.facebook.katana
• File we’re interested in is named “threads_db2”
• SQLite database
Main folder
The ‘databases’ folder
threads_db2 – main.messages
threads_db2 – main.messages
Kik Messenger
• Again, focusing on chat but there is potentially a lot
of great data here
• Files are located in the following folder on the ‘data’
partition: kik.android
• File we’re interested in is named “kikDatabase.db”
• SQLite database (surprise!)
Main folder
The ‘databases’ folder
kikDatabase.db – main.messagesTable
Snapchat
• Photo messaging app • More than 100 million users along with more than 350 million snaps sent per day
• Users can take photos, record videos, add text and drawings, and send them
to a controlled list of recipients • Sent photographs and videos are known as "Snaps“ • Users set a time limit for how long recipients can view their Snaps (1 – 10
seconds) • After time expires, the Snap is deleted
• Some data can still be recovered!
Snapchat data folder
Google Chrome OS
(Chromium OS)
Google Chrome OS
• Launched on June 15th, 2011
• Linux kernel-based operating system designed by Google
• Works primarily with web applications
• Aimed at users who spend most of their computer time on the
web
• Almost a pure web thin client OS, cloud based, cloud reliant
• Chromium is the open source project, Chrome OS is the
commercial version only on specific hardware from Google’s
partners
Google Chrome OS
• Encryption / Security
• User data is encrypted on a separate partition
• Web apps are sandboxed
• Verified boot – system files are hashed and protected
• No root/shell access unless in “Developer Mode”
Google Chrome OS
• So what can we do?
• Need user login/password
• Screenshots of web history
• Copy out files (non-traditional, not “forensically sound”)
• Developer Mode
Google Chrome OS
• So what can we do?
• Need user login/password
• Screenshots of web history
• Copy out files (non-traditional, not “forensically sound”)
• Developer Mode
Google Chrome OS
• Getting shell access
• Open browser, press Ctrl+Alt+T
• Type “shell” and press ENTER
• We don’t have shell access outside of Developer Mode
Google Chrome OS
• Getting into Developer Mode
• Need to find method specific to your Chromebook:
http://www.chromium.org/chromium-os/developer-
information-for-chrome-os-devices
• For my HP Chromebook, “hold down the Esc and Refresh
key and poke the power button”
Now, press “Ctrl-D”
This will take a few minutes – then we’ll start fresh
Google Chrome OS
• Now we have shell access
Familiar looking files?
Familiar looking files?
Some signs of encryption
USB mount point
Copying out the user home directory
Creating an image – List the partitions
dd if=/dev/mmcblk0p1 of=/media/removable/USB\ Drive
/chromebook.dd bs=4096 conv=notrunc,noerror,sync
Timeline Demo