android– forensics and security testing
DESCRIPTION
Speaker:Santhosh Kumar Event:Defcon Kerala Date:8/03/2014 Android-Forensic and Security Analysis. Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain. The Talk Focus on various Methods,the Various Situation where the forensics is useful. The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory. The talk also focus on various places where is information is available to the forensic point of view. Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything. The Talk also focus on using both Windows And linux as the Forensic Investigation Environment. Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data. Various Tools on way this can be done in faster way. Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.TRANSCRIPT
ANDROID – FORENSICS AND SECURITY ANALYSIS
Santhosh Kumar
r00t@b0x : whoami?
Security Researcher for a quite sometime (certs:CEH)
POC at Defcon Chennai. Currently Working on ARM based Exploitation.
Reported some Web apps at Microsoft , yahoo,intel,ibm,cisco etc.
Currently doing Bachelors in Computer Science.
Agenda:
Introduction to android and its History. Study the Android File systems and
Directories. Bypass Passcodes (All types of locks). Physical and Logical data extraction
techniquies. Reverse engineer Android application. Indian cyber Laws.
Why forensics ? WTH is this?
Evidence for legal proceedings. Financial Crime. Pornography/Child Pornography (pedophiles). Sexual harrasment! (against women) Terrorism activity or national threat. Cyber threats. Counter intelligence. Murder or other crimes. Eg:Georgia wieldman attacked @confidence
conference Poland.
Introduction to Android.History ??
Introduction to Android!History?
Widely Used Smartphone OS with over 77% share in 2013. The man behind Android was “andy rubin” orginally which now
developed by google(2007) Android now has over 900 million devices as per the IO event
in 2013. Android Open Source Project (AOSP) which was primarily
based on the LINUX which is now responsible for the Development and Maintanence Commits and Releases.
AOSP Follows the GPL v2 license and the Apache V2.0 license.The GPL v2 makes it mandatory to keep the source code as open source.Apache 2.0 is used for commericial entities
Android Features.
Android has key features which are useful as the forensic point of view.
Features like GSM,CDMA,LTE,WiMax,Wifi,Bluttooth etc.
Google Play Store/Android Market is Rich source for forensic Analysis.
Data Storage. Flash(or nand) memory . Internal Memory. External Memory.
Android Overview:
Global System for Mobile Communications – GSMSubscriber Identity Module or Unique Subscriber Identity Module (SIM OR USIM) to identify the user for the celullar network. Eg:AT&,T-Mobile (US) India-BSNL,AIRTEL
Code Division Multiple Access – CDMAEg:Sprit,version – US INDIA- Tata Docomo,MTS INDIA
Intergrated Digital Enhanced Network – IDENwhich is yet to be avaible in india | US- Sprit.
WorldWide internop for microwave access – WiMaxUS-Sprit INDIA- BSNL,Reliance.
Long Term Evolution – LTS (4 G)US-AT&T,Sprit,T-MOBILE,Verizon INDIA- Airtel,Aircel(TD-LTE)
Android Overview:APPS
Android Overview:Apps
The Total Android Apps Crossed Over 1 Million in NOV 2013 with another 70000 Apps Published in JAN 2014.
The other competitor,Apple which has the Strict App Uploading and Review Process which can go through long amount of time,on Fullfilling many criteria and condtions.Sometimes the apps are denied over after long review. iOS doesn’t allow the apps which are away from the App Market.
Google,Which requires less process for submitting the app (such as the secure key) While google has the power to Remove the app from the market,Ban Hammer the Developer and Remotely uninstall the app.
AOSP importance
As Said Earlier AOSP maintains the development and releases new versions and fixes.
Compiling the AOSP is the best way to understand the working of the Android.
http://source.android.com/source/initializing.html
Not necessary for the Forensics analysts but useful for the Deep Experimentation.
We don’t be Doing that now
Linux,Open source Software in Forensics
Open source forensic tools have always been more effective in the digital forensic discipline.Open source tools always has upper hand than closed source tools The Power to View the source code and understand the working of it.The ability to share software and improve it by working together with the forensic community.Free or Low Cost.
Linux is not only a critical component in Android but can be effectively used in forensic analysis.
LINUX commands:
Android Forensics involves
some of the Linux knowledgefollowing commands are useful
man help cd mkdir mount rmdir/rm –rf nano ls tree
cat dd find chown chmod
sudo
apt-get grep | and >
Many more …………..
Environment Setup
Ubuntu 32/64 bit ( I recommend 64 bit) with Android SDK
Ubuntu 12.04 (precise) 64 bit running on vmware/virtual box
http://www.vmware.com or http://www.virtualbox.org Have atleast 20 Gb free Space and 2 GB ram . Have Windows for Some commercial tools (explained
later) I recommend Santoku Linux which is a entire hacking
distro dedicated to Mobile forensics and Security. http://www.santoku-linux.com which is indeed made by
http://www.viaforensics.com a Mobile Pentesting company.
Workstation Setup:Caution
Disable Automount (file systems) Command:gconf-editor It is because auto mounting of file system can screw
our setup and alter the evidence . Go to apps : nautilus>preferences > remove “media
_automount” and “media_automount_open”
Android Architecture
HARDWARE DEVICES
Smartphones Tablets Google Tv Car Audio Systems Google Glasses Smart Watch GPS Fridge and Washing Machine
(DAFAQ) Mirrors (you Saw it right :P)
cybertecturemirror.com
Cameras Gamming consoles DECT phones
(a Android Landline) Smart TV’s
a 800+ android devices
ROM Booting process
Stock Rom varies from manufacturer to manufacturer
Acutally Phone booting process.
Short Seven ROM booting process
Power on and boot ROM code execution
The boot loader The Linux kernel The init process Zygote and Dalvik The system server Boot completed
ROM booting process
http://www.androidenea.com/2009/06/android-boot-process-from-power-on.html
Android Application Security Model
Android at the installation of the App(.apk) check for the developers unique signature. (Not CA).
Next it gives out the display of the android app file permission.The source is located in the androidmanifest.xml
This file is the potential when it comes to forensic analysis and determine the permission(malicious app).
Application process
Quick review of the android app execution. Even though Android apps are made in java but they are not
executed in java format. Each app gets a unique linux ID(uid) and Groud ID(gid). Gets own dedicated process and dedicated dalvik VM. The App Data gets stored in Data /data/data/<app
process>accessible only by UID and GID.(root exceptional). Apps can share the data with other apps using content
providers.
Some files which is useful
Cache.img :disk image of the /cache partion. Sdcard.img:disk img of the cache partion(img here is from AVD
emulator) Userdata-emu.img: disk image of the data partion.
…. Useful in the areas of forensics
USB connection of the evidence device
Different Devices have different options. The common four are
Charge onlyfile transfer
SyncInternet tethering.
Check the connection to the hostby typing “dmesg”.
Make sure you take care not to alter the evidence much…..
Checking USB connection
Precautions : (must needed)
Make sure to Disable auto mount feature in ubuntu to prevent automatic detection and mounting of USB storage.
Every fragile change could lead to alteration of evidence. Hardware write blocker useful to some extent.
SD card info
Most of the SDCARD details are stored in /data/ App details in /data/data(it differs :P)
Android Debug bridge
Android Debug Bridge
Most important component when it comes to android forensics. Consider it as a swiss army knife for forensics and security
analystis. Enable usb debugging developer options > usb debugging. This will run adbd (daemon) on the devices. Adbd runs on the user account(UID) unless promted with the
root privileges. If your device is locked then it is difficult to unlock usb
debugging.(not 100% impossible)
ADB components
Adbd on the devices. Adbd on the workstation. Adb on the workstation. Adb is free,primary tool for forensics and ofcourse opensource
Adb shell example
Adb shell gives out lot of information(depends on root or not). The Data folder is useful when you are rooted.
Data from adb
Sms History (Deleted). Contacts(com.phone.android) Call history
received,deleted,missed etc. Databook Events. Calender.
File Systems
Lot of file systems in the android operating system. More than a dozen is in use. The main three are
EXTFAT32YAFFs2 Source for the user data
Data to expect in /data/data
Apps that are shipped with stock rom : browsers. Apps that are manufacturer specific : eg : HTC
sense,touchwiz,motoblur Wireless carrier apps (not common in india) : carrier IQ Apps installed by google default : play store,play music , maps Apps installed by user (both marketplace and unknown source
installation)
Data Storage methods
The main methods where sensitive data stored.
Shared preferences Internal storage External storage Sqlite3 Network
Shared preferences
It is where all the data which is shared between the apps are stored.
Key values are stored in XML files
Internal Storage
Common in most of the systems :ext3,ext4,yaffs2 Unrooted user cannot access /data/data as it is
encrypted.root is needed for viewing the contents
Internal storage
U0_a0 is the owner means it is that user who installed the app “truecaller”.
These apps and their directories are damn useful when it comes to finding evidence.
External Storage
It has less restrictions when compared to the internal storage. FAT 32 is commonly found file system on the sdcard. As suggested earlier most apps data is stored here it is better
to look here.
SQLITE3-Native app database.
Lightweight RDBMS which has the c programming library. Entire DB stored in single file. Most of the App developers store the database in internal
memory eg /data/data/<app name>/database.
SQLITE3-some useful commands
Sqlite3 <dbfilename> .tables .headers on|off .mode Select * from <table> .dump?table? .quit
Loads the db Shows the tables Turns headers on/off Output mode file type Displays the table attirubutes
Dump the table Exit the shell prompt
Sqlite3 datbase example
Little catch : sqlite3 is not installed in real phones by default. For test conditions I have used avd emulator from android. Those databases have lot of tables which can be real handy. Some native roots have sqlite3 symlinked by default.
Network & linux kernel
Network storage in java and android classes Not locally but on the on network and relative datbases. The least place we look at the heart:linux kernel | kernel logs. To access the kernel logs we have “dmesg” command on the adb shell
Source:andrew hoog
Logcat
Displays almost eveything that’s been going around your device in the adb shell http://developer.android.com/tools/help/logcat.html
Has different parameters.
Device Handling & forensic rule
The main motto:Avoid modification to evidence at all costs. Simple mounting of device could lead to altering of evidences. Increase the sleep timeout which could lead to locking of the
device. Logcat everything what is going on. Make sure minimal modification to the evidence. Enable do not sleep while charging. Put the device on the flightmode or remove the sim card(I don’t
recommend this). Never switch off the device if it is on unlocked or on locked. Work where no network connnectivity (REMOTE WIPE & SMS
malwares to rip evidences?)
Phone switched off? What to do?
Try to boot into the recovery~ most of the devices power+vol up +down or power + vol down and then up .
If you cant come up search xda-developers.com Connect to adb,check for the root permission Usb debugg enabled you are lucky or else you have find a way
to remote activate usb debugg
Enable usb debugging when locked ?? Possible
Enable usb debugging when locked ?? PossibleBST(best smart tools)
Crack the codes
Unlucky still? Here comes the passcodes breaking!
Very useful when it comes to forensic! Nothing beats this .
Various techniques for breaking android passcodes.
Few will be discussed here. There is no direct rule for breaking
passcodes.
Types of passwords ?
Types of passwords ?
Cracking techniques
Smudge attack. Pattern lock vulnerability. Psneuter with adb,usb debugg(if enabled). Cracking the password key. Face unlock pwn with a picture.
Continues to evolve …………
Smudge attack
Screen(digitalizer) is reflective surface,smudge(pattern) which diffuse in the glass.
Being dust particle,when exposed to light reflect them.
camera setup to capture the overexposed image around 6-8 times will give a 80% correct image.
It gives out the display pattern. Not always working,like playing temple run could
remove the smudge totally.
Smudge attack
Pattern Lock crack
Pattern creates a file in /data/system/gesture.key
Hash is stored there.if custom recovery is installed like TWRP recovery,CWM recovery etc.
Remove the key using the rm command and recreate it using your own hash.
Pattern Lock crack
Key can also be decrypted ! Some sites do give services for free.
Cracking pins
When password/pins are used they are stored in /data/system/passwords.key
As you can see it is not in plaintext but as Random+sha1+md5. Not easy depends on the nature of password. Pull the salt
from/data/data/com.android.providers.settings/databases/settings.db and get the password from above.
Put them in the folder and try to attack them in password recovery tools such as hashcat/john the ripper by bruteforcing them
Pwn face & voice unlock
Not secure at all when google introduced it in android 4.0.
Reported to unlock with the photo of the person.
After kitkat android update the face unlock when to a change where the person have to unlock by blinking the eye which shows the alive ness of the captured image.
Again easily broken by duck faces,smiling images from facebook :P
“In June 2013, details emerged of a Google patent, pictured, that would let users unlock their phones by pulling silly faces, such as frowning, poking out their tongue or wriggling their nose. The expression would then be scanned and
compared to a previously captured photo to confirm the user's identity”-dailymail(uk).Voice can easily spoofed by old schooltricks
Android Encryption
Encrypts the entire device with AES encryption. Denoted to reduce in performance. Takes at Least a Hour for Encryption of Data.
Get fRoSted
Frost Security Team was able to break the encryption by cooling the device to -15 c in 60 minutes.
Switch off and Flash the Frost Recovery. Not the entire AES keys are decrypted.Some bits were
decayed.
g0t r00t?
g0t root?
90% of forensics trick depends on the root? Not enabled even in a single device.(unless suspect
rooted on his own). Not possible on all devices without altering the
evidence. Gaining root will leave a lot of traces. Many data’s they get altered. Takes lot of time searching for the correct exploit
sometimes lead to hard brick/soft brick. Root could make the device more vulnerable for
future exploits.
Types of r00t?
Temp root: gives you root access till you reboot the device.
Recovery root: custom recovery such as clockworkmod(CWW),twrp etc will give root access in the recovery.
Permanent root:install su to the system leaving a huge footprint.most custom roms have perm root by default eg:cyanogenmod,omni,panodroid etc.
Temporary root
Temp root is something essential when it come to forensic.(z4root.apk)
Doesn’t work on all devices,test it first before using.
Psneturer a temp root solution.
Neturer is a android server.this app exploits that server giving us a temprarory solution.
adb devices adb push psneuter /data/local/tmp adb shell cd /data/local/tmp chmod 777 psneuter ./psneuter
Permanent root
not good as far as forensic is concerned. Leaves a huge footprint altering the evidence. Search xda for
more roots.
R00t with binary
Gives root to almost all the 4.0 to 4.1 devices.
Kingo android root
This one gives root over all 4.2.x,4.3.x,4.4.x
Android forensic techniques
Logical and physical acquisition. Open source tools and some commerical
tools.qtADBAndrillercellebriteparabenviaextract ….
Logical vs physical Acquisition
Logical physcial
Access to file systems Data which is already
available to user
Eg:ADB pull,aflogical
Exploring the memory,not the file system.
More data than logical,by breaking passwords etc
Hardware and software
Logical Sdcard anquisition
Apps Data gets stored in /data which is encrypted and root access.
SD cards where the user stuffs stays.(audio,video,maps).
Uses cross platform FAT FS. Most backup stored in Sdcard. .apk’s in sdcard might be encrypted.
Useful done when 3rd party apps are analysis.
ADB pull -logical
qtADB
AFlogical
Data Extraction tools. Free for law enforcement agencies. Records call logs,contact etc.
DEMO
UFED touch ultimate
UFED Touch Ultimate, enables the most technologically advanced extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.Cost:10000$
UFED what’sapp analysis
Device Seizure
Device Seizure:Report
Andriller
A alternative and a powerful open source tool.
http://android.saz.lt/ Made by Denis Sazonov @den4uk Give it a try you wont regret it
DEMO…………………..
Photos
Try looking here for more evidence.
Reversing Apk’s
Rename Android app (.apk) to .zip. Extract zip Run dex2jar on the extracted file. Open the .jar in a java decompiler. APKTOOL Androguard Apkinspector
Android/Torec.A
First every Android based Tor malware which was found in the wild.
REVERSING DEMO
Future of Android forensics
The future research work will be on the Seandroid.
Contributed by National Security Agency (NSA) *cough*
Motto to have secure android.
Then there is ?
Ill just leave this here :P
Wait ! Wait ? Wait ?
SeAndroid was already defeated.The CVE 2013-6282 Pau Olivia Had a POC based a toshiba tablet running 4.3 JB.
INDIAN cyberlaws
Device as target or weapon IT act 2000 IT amendment ACT (2008) Rules under 66A,43A,79 SECTION 65A
http://www.cyberforensics.in/http://deity.gov.in/content/cyber-laws
ANY QUESTIONS?
Recommended starters
Andrew Hoog Steve robinson
Feedback welcomed :D
Twitter: https://twitter.com/security_b0x
References:
viaforensics.com Forensicfocus.com cellebrite.com android.saz.lt exploit-db.com www.forensicswiki.org/wiki/Cell_Phone_
Forensics Xda-developers.com