dfrws2011 forensic challengeold.dfrws.org/2011/challenge/dfrws2011_forensic... · 2011. 9. 1. ·...
TRANSCRIPT
![Page 1: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/1.jpg)
DFRWS2011 Forensic Challenge
Forensic Analysis of Android Systems
Tim VidasMatthew GeigerEoghan Casey
![Page 2: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/2.jpg)
Scenario 1: Suspicious Death
Donald Norby was found dead in his home Unclear whether this is a suicide or homicide Possible involvement with organized crime
Scenario goals: Forensic exam of victim’s Android device Answer investigators’ questions Did Norby kill himself or was he murdered?
![Page 3: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/3.jpg)
Scenario 2: Intellectual Property Theft
Data breach at SwiftLogic Inc Yob Taog is suspected of the leak
Scenario goals: Forensic exam of suspect’s Android device Answer investigators’ questions Did Taog steal the information?
![Page 4: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/4.jpg)
Scenario Twist!
● The murder victim is the data thief● Norby installed malware on Toag’s Android● The malware exfiltrated files for Norby● Norby was selling stolen data to criminal group
● Norby attempted to get more $$ for the files
● Norby was shot by a member of criminal group
● Toag was innocent and unaware of these activities
![Page 5: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/5.jpg)
Background on Android
Rooting versus recovery partition
Acquisition using nandump versus dddd does not obtain spare area
![Page 6: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/6.jpg)
State of the science in 2011
Limited solutions for Android NAND analysis
String extraction and carving
Commercial tools in development (beta)
Parse YAFFS2 and process some databases
Applied to NAND dump with spare area
Unable to parse dd image of partition
![Page 7: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/7.jpg)
Challenge DesignWanted “layers of difficulty”
Case files are collected with two techniques: Recovery image – full nanddump, contains OOB/spare information Root + dd style – a scenario that might occur in typical investigation Both had ad-hoc acquisition logs
Case files consist of typical phone information (call log data, text messages, etc)
Custom malicious applications, various app obfuscation Used an intermediate data storage server
SDCard images (note: wiped with “DFRWS2011” so any 0's are a result of the formatting process or typical operation)
![Page 8: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/8.jpg)
![Page 9: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/9.jpg)
SUBJECT:
DATE:
NAME:
SHEET: OF
SWIFTLOGIC, Inc
March 1, 2011
Jun Sigh
Project 2201
7 37:
![Page 10: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/10.jpg)
SUBJECT:
DATE:
NAME:
SHEET: OF
SWIFTLOGIC, Inc
April 21, 2011
Yob Taog
Project 2228, internal
11 37:
DRAFT
242234
0980F
![Page 11: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/11.jpg)
Case 2 in Cellebrite Physical (beta)
![Page 12: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/12.jpg)
File system examination
![Page 13: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/13.jpg)
Challenge SubmissionsAll will be available online (and associated tools)
2 team submissions: 2 individual submissions:
Fox-IT in the NetherlandsKorea UniversityDigital Forensic Research CenterApurva RustagiP. V. Burenin
But we know there were more participants, and we know people were working on it from immediately after release to right before the deadline...
![Page 14: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/14.jpg)
Challenge ParticipantsNot all participants submitted solutions
GeoIP located IP addresses, (Three different tools)from server logs in the intermediate server:
Chemnitz Germany
Illinois USA
Seoul Korea Korea
Seoul Korea Korea
Seoul Korea Korea
Bejing China
Berlin Germany
Madrid Spain Madrid
Paris France Marina Del Ray, CA
India Mumbai India
Dallas Dallas USA
Russia Russia
Texas Texas
Seoul Seoul Korea
Amsterdam Delft Delft, Netherlands
![Page 15: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/15.jpg)
Challenge ParticipantsNot all participants submitted solutions
The intermediate server:
![Page 16: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/16.jpg)
![Page 17: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/17.jpg)
![Page 18: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/18.jpg)
Fox-IT
Ivo Pooters, Steffen Moorrees & Pascal Arends
● Developed Python utilities● Presented visual reconstruction of evidence● Great overall synthesis of evidence and application to the Scenario
![Page 19: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/19.jpg)
Call logs
![Page 20: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/20.jpg)
Kriptix Headquarters?!?!
![Page 21: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/21.jpg)
Fox-IT Visual Reconstruction
![Page 22: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/22.jpg)
Korea UniversityJewan Bang, Jungheum Park, Hyunji Chung, Dohyun Kim, Sangjin Lee
● Developed Visual studio projects to parse YAFFS2 data
● Very comprehensive report
![Page 23: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/23.jpg)
Korea University YAFFS2 Parser
![Page 24: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/24.jpg)
Installed Apps
![Page 25: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/25.jpg)
Malicious Apps
![Page 26: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/26.jpg)
“Donor Device”
![Page 27: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/27.jpg)
Geo-locate (examples: Facebook “check in”, gmaps search)
![Page 28: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/28.jpg)
P. V. Burenin Submission
![Page 29: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/29.jpg)
SUBJECT:
DATE:
NAME:
SHEET: OF
SWIFTLOGIC, Inc
April 21, 2011
Yob Taog
Project 2228, internal
11 37:
DRAFT
242234
0980F
![Page 30: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/30.jpg)
And the Winner is...
Fox-IT !!
Ivo Pooters, Steffen Moorrees & Pascal Arends
![Page 31: DFRWS2011 Forensic Challengeold.dfrws.org/2011/challenge/DFRWS2011_Forensic... · 2011. 9. 1. · Challenge Design Wanted “layers of difficulty” Case files are collected with](https://reader034.vdocument.in/reader034/viewer/2022051905/5ff7d6f8f8e85d4f63557b14/html5/thumbnails/31.jpg)
THANKS!
Thanks to all those who participated(especially those that submitted ;-)