sm12: opportunities and limits of - uni koblenz-landau€¦ · data) • §100j code of criminal...
TRANSCRIPT
SS 2015, A. Dhein
1
Seite 1
1 / 672015 © A. Dhein
Security for Mobile Applications (Prof. R. Grimm)
SM12: Opportunities and Limits of Modern Smartphone Forensics
A. Dhein Institute for Information Systems Research (M. Becker) K15, IuC Forensics, tech investigation Ass.University Campus Koblenz Criminhal Policedepartment Koblenz
2 / 672015 © A. Dhein
• Andreas Dhein• 37 years old• married, 2 Kids• live/work in Koblenz
• Diplom-Informatikerformer degree to MSc
• Employee at the Criminal Police Department of Koblenz• Member of Europeen FREETOOL Project (SQLiteProcessor)• Mac OS X / iPhone Forensics (Zdziarski, Hoog etc)• Geolocationbased Services (iPhoneTrackerLE, AndroidTrackerLE)
• Phd (work in progress) at the University of Koblenz-Landau
Before we start
SS 2015, A. Dhein
2
Seite 2
3 / 672015 © A. Dhein
• How does Mobile Forensics fit into the field ofSecurity for Mobile Applications?
• You need to bypass Security restrictions
• Potentially everything you heard until now might help ☺
• BUT: 4n6 resides in the field of white hat hacking
Before we start
4 / 672015 © A. Dhein
Content
1. Introduction• Ubiquitous Mobile Computing• Oppurtunities due to Mobile Forensics• Limitations due to Diversity• different Systems• different Hardware• different Interfaces
2. Seizing mobile devices
3. Acquisition of as much as possible
4. Decoding Flash Images
5. Examination of Source Data
6. Reporting the Results
Disclaimer: The Icons and Logos used belong to their ori ginal ownersThanks to Peter Warnke (Cellebrite Germany) for providi ng lots of them
SS 2015, A. Dhein
3
Seite 3
5 / 672015 © A. Dhein
Mobile Phones Evolution
1990 2000 2010
Smartphones• Apple iPhone• Android Phones• Blackberry RIM• Windows Mobile
Phones
• Cellular Phones
• Code Division Multiple Access (CDMA)• Global Systems Mobile (GSM)• Integrated Digital Enhanced Network
(iDEN)
• Portable Digital/Data Assistants (PDA)
• Palm Pilots (Palm OS)• Pocket PC‘s
Introduction
6 / 672015 © A. Dhein
Motivation: Ubiquitous Mobile Smartphones
• Left: Smartphone market (still) growing• No more than 4% traditional „dumb“-phones sold in 2013
• Right: On the way into the „Post-PC-Era“• Smartphones/Tablets overcome Desktop/Notebook-PCs in 2011
Introduction
SS 2015, A. Dhein
4
Seite 4
7 / 672015 © A. Dhein
OPPORTUNITIESDUE TO MOBILE FORENSICS
In theory.......
Introduction
8 / 672015 © A. Dhein
• Smartphones are Personal Assistants• Contacts
• E-Mails
• SMS
• Calendar events
• Dictionaries, Notes
• Audio, Photos, Videos, Documents
• Last visited websites, Bookmarks
• Much more .....
• Smartphones are Status Symbols• „Criminals seem to need expensive gadgets“
Motivation: Own the smartphone, know everything...Introduction
SS 2015, A. Dhein
5
Seite 5
9 / 672015 © A. Dhein
• Smartphones are Personal Communicators• E-Mails
• SMS
• Skype
• Facetime
• And even more...
• Also deleted conversations...
• Smartphones are Personal Trackers• Assisted GPS based geolocation data „everywhere“
Motivation: Own the smartphone, know everything...
There is much more
Introduction
10 / 672015 © A. Dhein
LIMITATIONS/PROBLEMSIN MOBILE FORENSICS
The reality looks slightly different ☺
Introduction
SS 2015, A. Dhein
6
Seite 6
11 / 672015 © A. Dhein
Lots of different vendors / suppliersIntroduction
12 / 672015 © A. Dhein
Lots of different platformsIntroduction
SS 2015, A. Dhein
7
Seite 7
13 / 672015 © A. Dhein
Lots of different operating systemsIntroduction
14 / 672015 © A. Dhein
http://en.wikipedia.org/wiki/List_of_iOS_devices
Even one vendor has lots of different systems/versions
iPhone
iPad
Introduction
iPad mini
SS 2015, A. Dhein
8
Seite 8
15 / 672015 © A. Dhein
• Different hardware vendors• With different memory chips
• With different interfaces
• With different cables
• Different software versions• Every vendor brews it‘s own
Android derivate
• Many different software versions
• Android 2.x (froyo, gingerbread) still in use since Mai 2010
• Major differences in Android 4.x since Oct. 2011 (Sandwich, JellyBean, KitKat)
Bit worse: Even more differences on Android (Devices)Introduction
http://developer.android.com/about/dashboards/index.html
16 / 672015 © A. Dhein
And your are not yet at connection level ☺
nearly every device has a different interface, if at all
Dumbphones Smartphones
Mini-USB
Micro-USB
Samsung-Dock
iPhone/iPod/iPad-Dock
Standardization?
Introduction
SS 2015, A. Dhein
9
Seite 9
17 / 672015 © A. Dhein
Content
1. Introduction
2. Seizing mobile devices• Preview Content?!• Remote Wiping• Preserving Access• Passcode vs. PIN-Code
3. Acquisition of as much as possible
4. Decoding Flash Images
5. Examination of Source Data
6. Reporting the Results
18 / 672015 © A. Dhein
• Preview before Seizing ???• Possibility for incriminating evidences and direct accusation• Selection reduces evidence, speeds up general processing• Starting Apps alters data on the device
• Documentation• Location• Device state• Physical issues
• damages, broken displays, missing parts, etc.
• Seizure chargers and accessories
• Protection and Preservation of Evidence
General concerns (in the field)Seizure
SS 2015, A. Dhein
10
Seite 10
19 / 672015 © A. Dhein
• Available through Apple iCloud System Service• Wipe complete phone in less than a second• Irretrievable!!! Disconnect device from the internet!!!
Remote Wiping (free feature in iOS)
Detailed Information and more Screenshots: http://www.businessinsider.com/find-my-iphone-2011-10?op=1
Seizure
20 / 672015 © A. Dhein
• Android• Available through
Android Device Manager
• Turned off by defaulthas to be activated beforeloosing the device ☺
• Limited wiping features on SD-Cards
• Only 1st card; has to be mounted; only fast (not secure) erase
• Windows Mobile• Available through OWA
(Outlook Web Access)
Remote Wiping (Android 2.3+, Windows Mobile)Seizure
SS 2015, A. Dhein
11
Seite 11
21 / 672015 © A. Dhein
• Network Service Provider cooperation• NSPs could disable device from the network
• Jamming• Create temporary „dead zone“ to all cell phones• Violation of Telecommunication Act
• Shield bag• Good news: Aluminum foil will do the job ☺
• Problems• Battery drain due to increase of signal strength• Plugging charger to energy net acts like an antenna
• Solution• Forensic shielded bags with battery packs available
Prevent Internet Connection (Shielding/Isolation)Seizure
22 / 672015 © A. Dhein
• Turning off the device ????• Activate handset lock and/or PIN lock for the SIM
• Potentially making the device inaccessible
• So, what to do?• Never power off the device!!! Keep it charged!!!
• Disconnect from any wireless network!!!
1. Activate Airplane Mode
2. Deactivate Device Lock
3. Ask for SIM Code
Prevent Internet Connection (without tools)Seizure
SS 2015, A. Dhein
12
Seite 12
23 / 672015 © A. Dhein
• Legal base• §§ 161 (1), 163 (1) Code of Criminal Procedure (StPO)• §113 (1) S. 2 Telecommunication Act (TKG) (only inventory
data)• §100j Code of Criminal Procedure (StPO)
• Information helpful to identify owner• IMEI (International Mobile Equipment Identifier)
• Stored/printed on the Phone• Dial *#06# on the phone to get your IMEI number
• IMSI (International Mobile Subscriber Identity)• Stored on the SIM Card
• ICCID (integrated circuit card identifier)• Stored and printed on the SIM Card• Structure: 89 MCC IsID xxxxxxxxxx C
• What you get• SIM PIN/PUK to unlock the SIM-Card / Phone
Bypass SIM lock by asking NSPSeizure
24 / 672015 © A. Dhein
Difference between Passcode and SIM-PIN
• Passcode (Locks Device)• Numerical (iOS) simple to bruteforce
• Alphanumerical (iOS) bruteforce unsuccessful
• Patternbased (Android) numerical, no bf needed
• SIM-Code (Locks Network Access*)• Numerical
• Problems when Bruteforcing• Delay until next unlock increases
• Device completely locked up after x attempts
* Some phone models stay locked without correct SIM-Code
Seizure
SS 2015, A. Dhein
13
Seite 13
25 / 672015 © A. Dhein
Bypass Passcodes with Cellebrite UFED Physical Analyzer Seizure
26 / 672015 © A. Dhein
• Pattern file: /data/system/gesture.key• Lock sequence encrypted as SHA1 hash• Pattern stored as hex-values
• Generate SHA1-“look up table“ for 895824 numbers• from 1234 to 987654321 • keeping in mind
• you can only access neighbor digits
• Decoding the Passcode Pattern
• But fortunately not needed anyway ☺
Bypass Passcode (in Android)
http://articles.forensicfocus.com/2011/11/18/android-forensics-study-of-password-and-pattern-lock-protection/
0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0x78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0x12
0×06 0×04 0×01 0×02 0×05 0×08
LUT
7-5-2-3-6-9Pattern
SHA1
gesture.key
0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0x78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0x12 compare
1 2 3
4 5 6
7 8 9
7-5-2-3-6-9
Seizure
SS 2015, A. Dhein
14
Seite 14
27 / 672015 © A. Dhein
• Download AutomatedTools.zip from iosresearch.org
• Up to iPhone model 1303 (3Gs) iOS<4.x1. $./setup.sh
• Load firmware, patches, ROM-Image etc. from the internet2. $./boot-passcode.sh
• Put iPhone into DFU-Mode** (script will tell you)• Patch Kernel to execute unsigned bootloader
• Put iPhone into Recovery*** or DFU-Mode (script will tell you)• Boot prepared unsigned-ROM and automatically
• Remove passcode permanently
• Starting from iOS_4.x, iOS_5.x (multiplatform)1. $./recover-keys.sh
• bruteforces 4-digit passcode if set• Recovers encryption keys from the device• Decrypts encrypted passwords from the keychain
2. $./recover-raw.sh• ...
• But fortunatly not needed either to dump raw-/ filesystem-images ☺
Bypass Passcode (in iOS_3,4,5) Zdziarski*
** Device Firmware Upgrade – Mode (totally Black Screen), Transfer mode, which can be exploited (injectgreen,injectpois0n)*** Recovery – Mode (iTunes Symbol), Transfer mode, higher level, which can be exploited
* Access to iosresearch.org restricted to members of Law Enforcement agencies
Seizure
28 / 672015 © A. Dhein
Content
1. Introduction
2. Seizing mobile devices
3. Acquisition of as much as possible• Different Types of Storage• Different Types of Acquisition• Logical Backup• Physical NAND Dump• JTAG• Chip-Off• Forensic sound or not ?!
4. Decoding Flash Images
5. Examination of Source Data
6. Reporting the Results
Hynix H2JTDG2MBR 128 Gb (16 GB) NAND flash
mini-SIM micro-SIM nano-SIM
SS 2015, A. Dhein
15
Seite 15
29 / 672015 © A. Dhein
• General• 16-128 kb EEPROM*
• Content• Last Number Dialed (LDN) up to 10 numbers if at all• Phonebook/Contacts (ADN)• Text Messages (SMS)• Location Information (LOC) from last usage• Service related Information
• Acquisition• Forensic Card Reader 2
• Hierarchical filesystem• Master File (MF)
• Dedicated Files (DF)• Elementary Files (EF)
External: (U)SIM Card
* Electronic Erasable Programmable Read Only Memory
Acquisition
Smartphones DO NOT use SIM storage
30 / 672015 © A. Dhein
• General• 8MB – 1GB• SDHC* bis 64 GB
• Content• Pictures • Movies• Audio Files• Documents• Encrypted data
• Acquisition• Usually FAT16, FAT32 filesystems• Forensic harddisk imaging software
External: SD-Memory Card
* Secure Digital High Capacity
Acquisition
SS 2015, A. Dhein
16
Seite 16
31 / 672015 © A. Dhein
• General • Non-Volatile (meaning data preservation)• 16GB Single Level Cell (SLC)• 32GB Multiple Level Cell (MLC)• Solid-State (meaning no moving parts)
• Mainly two different design types• Thinner-Small-OutlinePackaging (TSOD)
• Pins on the sides of the chip• Ball-Grid-Array (BGA) or Land-Grid-Array (LGA)
• Pins below the chip (in an Array)
• Content• Not limited to any kind of data• Not always encrypted
• Acquisition• Difficult due to the fact, that no direct access to flash memory storage
components is intended; it‘s more like a storage system
Internal: Flash memory storage chips
(TSOD) (BGA)
(SLC) (MLC)
Acquisition
32 / 672015 © A. Dhein
1. Logical Backup (Gathering)• Using vendor solutions
• Copying files from the device
2. Filesystem Dump
3. Physical Dump• Physical NAND-dump
• Physical JTAG aquisition
• Physical Chip Off aquisition
• The intention is to access as much data as possible asquick as possible with altering as less data as possible
Different acquisition techniques
Com
plex
ityA
mou
ntof
data
Acquisition
SS 2015, A. Dhein
17
Seite 17
33 / 672015 © A. Dhein
• Apple iTunes• Samsung Kies• HTC sync• LG PC Suite• ...• MyPhoneExplorer (Android)• Titanium Backup (Android)• DiskAid, iPhoneExplorer (iOS)
• Of course every mobile forensic suite is able to retrievea vendor equivalent logical backup (mostly enhanced)
Logical Backup: Vendor/Software driven
Smartphone Desktop Computer
Server Client
Acquisition
34 / 672015 © A. Dhein
• Mounting in Windows/Linux/Mac• „ThumbDrive“
• Camera- / Scanner-Device
• Using developer tools (Android)• Enable ADB on phone
• Connect and recursive Copy
• Using AFC (iOS/iTunes)• Sync or backup with Apple iTunes
• Using iPhoneExplorer software
Logical Backup: Copying Files from the filesystemAcquisition
SS 2015, A. Dhein
18
Seite 18
35 / 672015 © A. Dhein
• We do not need the device anymore ☺
• Possible, but problems due to legal base
• Every major mobile platform offers the possibiliy to backuppersonal information and/or device data online • Apple iCloud https://www.icloud.com• Android various https://[drive|docs].google.com ...• Microsoft Windows-Live no web access (?)
• How to get the data from the cloud?• Syncing to „fresh“ device when assigning with ID/password• Downloading data directly?
• Apple: Downloading complete backup (EPB, iloot.py)• Android: Google Drive, Google Docs, Mails.... (not directly)• Windows Mobile: contacts, notes and SMS messages (EPB)
Logical Backup: Accessing Cloud BackupAcquisition
36 / 672015 © A. Dhein
• Elcomsoft Phone Breaker (EPB)• Primary aim is password breaking into Phones• Possibility to download / break into Cloud data
Logical Backup: Accessing iCloud BackupAcquisition
SS 2015, A. Dhein
19
Seite 19
37 / 672015 © A. Dhein
Logical Backup: demo output iloot.py getting sms.dbAcquisition
mbp:iloot-master administrator$ pip install -r requirements.txt[...]mbp:iloot-master administrator$ python iloot.py [email protected] password --item-types smsWorking with [email protected] : passwordOutput directory : outputAvailable Devices: 1===[ 0 ]===
UDID: 4d3e33cbc02578d[...]4f883f9d256Device: iPhone 4SSize: 1GLastUpdate: 2014-04-21 22:58:55
Downloading backup 4d3[...]256 to output/4d3[...]256Got OTA KeybagAvailable Snapshots: 67Listing snapshot 1...
Shifting offset: 5000Files in snapshot 4033Downloading 1 files due to filter
HomeDomain output/4d3[..]256/snapshot_1/HomeDomain/Library/SMS/sms.dbListing snapshot 66...
Shifting offset: 5000Files in snapshot 229Downloading 0 files due to filterListing snapshot 67...
Shifting offset: 5000Files in snapshot 280Downloading 1 files due to filter
HomeDomain output/4d3[...]256/snapshot_67/HomeDomain/Library/SMS/sms.db
• https://github.com/hackappcom/iloot
38 / 672015 © A. Dhein
• Pros• Fastest acquisition possible
• Cons• Limited access to files• No prior fileversions• No deleted files (although deleted entries in DBs)• Trusting the kernel!?
• Pros• Advanced access to filesystem (filesystem backup)• Direct access to flash memory storage (nanddump)• Physical access to flash memory chip (JTAG, Chip off)
• Cons• Expert level forensics > also meaning expensive ☺• Disassembling the device (JTAG)• Destroying the device (Chip-Off)• „Only one chance“ to obtain the data• „Digging in the dirt“-forensic (reverse engineering wear leveling)
Gathering or Dumping
Logi
cal G
athe
ring
Phy
sica
lDum
ping
Acquisition
SS 2015, A. Dhein
20
Seite 20
39 / 672015 © A. Dhein
• Use a System Service • in a way it was (not) meant to be ☺
• Find an Exploit and retrieve more data than normally• BUT it’s still a “call over the fence”, kernel-trusted �
Filesystem Dump
Device
Operating System Flash
Memory
Memory System
SD RAM
Extraction Device
AFCADB
Acquisition
40 / 672015 © A. Dhein
• Use a Boot-Loader unlock-manipulation• which is still „Software“-based
• No disassembling necessary• Trust your own kernel
Pseudo Physical Dump
Device
Operating System
Memory System
SD RAM
Extraction Device
FlashMemory
Bootloader
Acquisition
SS 2015, A. Dhein
21
Seite 21
41 / 672015 © A. Dhein
• Connect Service Points to RIFF box• which is „hardware“-based
• Most of the time disassembling necessary• Direct interaction with Memory System
JTAG Physical Dump
Device
Operating System
Memory System
SD RAM
Extraction Device
FlashMemory
RIFFBox
Acquisition
42 / 672015 © A. Dhein
JTAG Physical Dump
Disassamble the phone
Connect Jig & Power cables Connect to JTAG adapter
Acquisition
SS 2015, A. Dhein
22
Seite 22
43 / 672015 © A. Dhein
JTAG Physical Dump
Connect to target and dump ….
Acquisition
44 / 672015 © A. Dhein
• Remove Flash Memory chip• which is pure „hardware“-based
• Disassembling unavoidable• Direct access to Memory Chip
Chip-Off Physical Dump
Device
Operating System
Memory System
SD RAM
Extraction Device
FlashMemory
FlashMemory
Acquisition
SS 2015, A. Dhein
23
Seite 23
45 / 672015 © A. Dhein
Chip-Off Physical Dump
Removed Memory ChipReballed Chip
Acquisition
46 / 672015 © A. Dhein
Chip-Off Physical Dump
Chips are tiny and do differ a lot from each other
Acquisition
SS 2015, A. Dhein
24
Seite 24
47 / 672015 © A. Dhein
Chip-Off Physical Dump
Various chip programmers/readers and lots of different adapters needed
Acquisition
48 / 672015 © A. Dhein
Chip-Off Physical Dump
… to get this ☺
Acquisition
SS 2015, A. Dhein
25
Seite 25
49 / 672015 © A. Dhein
Forensic Sound or not ???
• Acquisition principles• C ompleteness
• I ntegrity
• A ccuracy
• Repeatability
• Help needed!!!• Cellebrite UFED
• Microsystemation XRY
• MobileEdit
• …
• Research & Development
• Quality Reviews & SupportUFED touch Ultimate
Acquisition
50 / 672015 © A. Dhein
• Not being done until now... at least I am not aware of
• RAM Dump should be possible in theory• Gain root privileges, dump memory device• dd if=/dev/mem out=mem.dd (probably will not work)• Problems: drained batteries; reboots during acquisition
• Will contain • Processes (e.g. for Malware analysis)• Passwords, Access tokens (things have to be kept up and running)• Communication artifacts, etc. (journaling file systems)
• Might contain volatile/temporary data• Geolocation data in Android (is no longer found in file space)
Volatile Memory information DumpAcquisition
SS 2015, A. Dhein
26
Seite 26
51 / 672015 © A. Dhein
Content
1. Introduction
2. Seizing mobile devices
3. Acquisition of as much as possible
4. Decoding Flash Images• Flash Memory Basics• Wear Level Decoding• Filesystem Decoding
• Android• iOS
5. Examination of Source Data
6. Reporting the Results
52 / 672015 © A. Dhein
Flash Memory – Overview
• Invented ~1980 by Dr. Fujio Masuoka (Toshiba)• The name “flash” was suggested because the erasing process reminded a
colleague of Dr. Masuoka of a camera flash
• Erasing causes (heat) damages to the Floating Gate isolator• Erase cycles limited to
• 10.000-100.000 (NOR)• up to 2.000.000 (NAND)
• NAND memory chips features• Cheap, small-factored• Fast serial access cycles• Fast read/write access• High storage capacity
• Problems to address when decoding flash memory dumps• Structure: Block-wise storage of pages which contain cells• Wear-leveling: Error management cause of limited cell-lifetime
Decoding
SS 2015, A. Dhein
27
Seite 27
53 / 672015 © A. Dhein
• Cells, Blocks and Pages
• Example: 256MB NAND chip• Page: 512 bytes (cells)
• Block: 16 Kbytes (32 pages)
• Total: 256 Mbyte (2048 Blocks)
Flash Memory – Structure
… 512 + 16 …
…32…
Page
Block
…
2048
…
256MBNAND chip
Cell
Decoding
54 / 672015 © A. Dhein
• Comparing NAND memory to traditional hard-drives• Read operation has (true) random access (faster)
• Only true for NOR flash memory, NAND still faster than orig HDDs• Write operation is cell-based (think of bits)
• Delete operation is also cell-based• Erase operation only on page-level (think of sektors)
• Erasing and Programming• Programming (i.e. writing) only possible on
„clean“ (erased) cells• Cleaning (erasing) cells only possible on „page“-base
• Summary• Before writing any data, cell has to be cleaned• Due to erase cycle limits wear leveling comes into place
Flash Memory – Read- / Write-Operations
SS 2015, A. Dhein
28
Seite 28
55 / 672015 © A. Dhein
• Error-Management• Someone has to take care of
good2bad sector allocation• Flash Translation Layer (FTL)• Wear levelling is proprietary
• And there may be moreproprietary „features“ �
• More and more vendors usehigher level „interfaces“ ☺
Flash Memory – Wear leveling
FMSS
Application
File System
FTL
Driver
Device
Operating System
Logical Sector#
Physical Sector#
Flash Memory Bank
GarbageCollection
------------------Error-
Management
AddressTranslation
Process Process
Filesystem (Ext, HFS)
Memory Chip
Decoding
56 / 672015 © A. Dhein
Filesystem Analysis
Motorola Proprietary
XSR MCU
I855 P2K
YaffsJFFS2
SymbianFS EFS2
QCPDCT4
OSE
EXT4
Computers Mobiles
EXT4
(*) Fortunately the file system layout in modern Smartphone OS is UNIXoid most of the time
FAT NTFS
HFSExt3/4
Decoding
SS 2015, A. Dhein
29
Seite 29
57 / 672015 © A. Dhein
• Android followslinux mounting
• /dev/block/mtdblock? (YAFFS)(Memory Technology Devices)
• /mnt/ (ext4)
But what really interests us• /data/data (root-privileges are required)
• subdirectories per application with „userdata“• SQLite databases• proprietary bytestreams
Other resources• /sdcard (old) /mnt/[0|1] /mnt/ext/SD
• Better examine apart from the device (no root access required)• May be secured (obfuscation, encryption)
Directories in AndroidDecoding
58 / 672015 © A. Dhein
• Apps in iOS are sandboxed, i.e.• Every App resides in one directory
• Data storage folders are is limited to• Documents
• Databases• Plists• Images• Pdfs• …
• Library
• Tmp• e.g. web-cached data
Sandbox directories in iOSDecoding
SS 2015, A. Dhein
30
Seite 30
59 / 672015 © A. Dhein
sms.db part Csms.db part Csms.db part C
Summary: Steps in Decoding
D
A
C
B
H
E
F
G
NAND Device
MBR
Partition 1
Partition 2
Partition
Boot Recordsms.db part C
sms.db part A
sms.db part B
pb.db part Bpb.db part Ipb.db part H
pb.db part Cpb.db part Apb.db part Epb.db part D
pb.db part Apb.db part Fpb.db part Gpb.db part J
File
sms4sms3sms1sms2
Record
Physical Filesystem Logical Report
FTL
Decoding
60 / 672015 © A. Dhein
Content
1. Introduction
2. Seizing mobile devices
3. Acquisition of as much as possible
4. Decoding Flash Images
5. Examination of Source Data• Different Sources
• txt, XML, Plists, SQLite, Binary
• Different Formats• Timestamps, Flags, etc
6. Reporting the Results
SS 2015, A. Dhein
31
Seite 31
61 / 672015 © A. Dhein
• Databases• SQLite3
• Serverless, file-based database system storage• Supported by various mobile core frameworks• Database connection software/driver needed• Sometimes hard to interpret / “join” different tables
• Textfiles• XML
• Dynamic tag-based description files• Common for configuration files• Hard to put into fixed width tables (e.g. XLS)
• PLists• Like XML files, common for Apple devices (type might be binary rather than text)
• CSV• Not very common on devices themselves, but as export-source to be examined, processed
after data extraction from the mobile phone
• Binary files• Mostly proprietary formats, sometimes pure byte-streams• Have to be decoded prior to examination• Sometimes PLists are in binary format to decrease file size
Inhomogeneous SourcesExamination
62 / 672015 © A. Dhein
• Different time formats, e.g.• in seconds since 01.01.1970 00:00:00 UTC (Unix timestamp) very popular• in milliseconds since 01.01.1970 00:00:00 UTC• in microseconds since 01.01.1970 00:00:00 UTC (PRTime) e.g. Mozilla Firefox• in milliseconds since 01.01.1601 00:00:00 UTC (Webkit-Time) e.g. Google Chrome• in seconds since 01.01.2001 00:00:00 UTC (CFAbsoluteTime) typical for Apple
• Specific flags e.g.• 0 = no / 1 = yes• odd = out / even = in (e.g. found in iOS sms.db)
• Software specific types e.g.• Mozilla Firefox (-> visit-types, reference)
• Different formatting stuff, e.g.• Line breaks (-> problem when exporting to/from CSV-textfiles)• Html tags (-> unpleasantly to read)
Inhomogeneous FormatsExamination
SS 2015, A. Dhein
32
Seite 32
63 / 672015 © A. Dhein
Content
1. Introduction
2. Seizing mobile devices
3. Acquisition of as much as possible
4. Decoding Flash Images
5. Examination of Source Data
6. Reporting the Results• Technical vs. Investigation
Presentation• Report Management• Report Viewer
64 / 672015 © A. Dhein
Different Points of Views
• Technical (preservation)• Do not alter data when
extracting-> stay forensic-sound
• Leave data as it is to prevent processing-errors
• Pass everything to the investigator
• Stay digital rather than printing on paper >1500pgs
• Investigation (demand)• Extract data, even if this
means altering data
• Process data to make it “readable”
• Please only provide “hits”
• “A report please!!!!”
Reporting
SS 2015, A. Dhein
33
Seite 33
65 / 672015 © A. Dhein
• Phone dump• Original Data• raw-Images (dd, bin, e01)
• Exported data• Exported Data• Due to the data request
• Processed data• Report• CSV, Excel, pdf, html, XML, docx
• Final report• Summary• Where to find important data
Report ManagementReporting
InputInput ProcessingProcessing OutputOutput
66 / 672015 © A. Dhein
• Present data e.g. on a Terminal Server or burned on optical-media in a (stand-alone) dedicated application
• Investigator can refine data • Focus on specific artifacts (e.g. chats, log-files, e-Mails, etc.)• Focus on specific media (pictures, videos, audio-memos)• Search with key-words (produce hits)• Filter with key-words (reduce data output)
• But: German law is demanding for paper evidence• So: print a report / burn report on CD
• Problems• Exported Data to large to fit on CD/DVD… • Potential Malware within police network (concerning viewer)
Report Viewer (Outlook) Reporting
SS 2015, A. Dhein
34
Seite 34
67 / 672015 © A. Dhein
• Introduction• Many opportunities due to mobile forensics investigating crime, but also limits• Many different hardware models and operating systems
• Seizing mobile devices• Many possibilities to do things „wrong“
e.g. when seizing, not noting passcodes/SIM-codes
• Aquisition of as much as possible• Many aproaches to aquire evidences; Problems to choose the right one
e.g. vendor driven, logical, physical
• Decoding Flash Images• Many things you need to understand, when doing mobile investigations
e.g. FTL-decoding
• Examination of Source Data• Many different sources of evidence data to be found on mobile devices
e.g. SQLite, Bytestreams, pictures, music, videos, config-files, etc.see tomorrow ☺
• Reporting the results• Different points of view (technical vs investigation)
Summary: What we‘ve learnt
Being part of theJustice League
68 / 672015 © A. Dhein
• Warnke12: Trends in der Forensik von Mobiltelefonen. Peter Warnke, Cellebrite GmbH, http://www.anwendertag-forensik.de/content/dam/anwendertag-forensik/de/documents/2012/Vortrag_Warnke.pdf [18.09.2012]
• Punja08: Mobile Device Analysis. Shafik G. Punja & Richard P. Mislan, http://www.ssddfj.org/papers/SSDDFJ_V2_1_Punja_Mislan.pdf [1.6.2008]
• FTL09: A survey of Flash Translation Layer. Tae-Sun Chung et al., http://idke.ruc.edu.cn/people/dazhou/Papers/AsurveyFlash-JSA.pdf, [17.04.2009]
• Swauger12: Chip-Off Forensics. Jim Swauger, http://www.binaryintel.com/wp-content/uploads/2012/05/Chip-Off_Forensics_Article.pdf, [02.2011]
• Schatz12: Android Forensics Deep Dive. Dr. Bradly Schatz, http://www.schatzforensic.com.au/presentations [2012]
• CENSE12: Introduction to Flash Memory. Roberto Bez et al. paper from CENSE, http://www.cense.iisc.ernet.in/academics/Binder-Nonvolatile1.pdf [2012]
• SIMSON11: Android Forensics. Simson L. Garfinkel. http://simson.net/ref/2011/2011-07-12%20Android%20Forensics.pdf [12.07.2011]
References [all links checked on 18.05.2013]
SS 2015, A. Dhein
35
Seite 35
69 / 672015 © A. Dhein
• Oxygen11: Android Forensics Study of Password and Pattern Lock Protection. Oleg Fedorov, http://articles.forensicfocus.com/2011/11/18/android-forensics-study-of-password-and-pattern-lock-protection, [18.11.2011]
• Zdziarski13: iOS Forensic Investigative Methods. Jonathan Zdziarski, http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf, [13.05.2013]
• ifixit12: iPhone 5 teardown. Ifixit, http://www.ifixit.com/Teardown/iPhone+5+Teardown/10525/3, [12.9.2012]
• Gilleland: Processing iPhones. Richard Gilleland, http://cryptocomb.org/Sacramento%20Police%20Department%20-%20Processing%20Iphones.pdf, [x.x.2010?]
• 8051FAQ: What is NAND flash memory. Toshiba, http://www.8051faq.com.cn/download/nand-toshiba.pdf, [03.2003]
References of Examples [all links checked on 25.05. 2013]
70 / 672015 © A. Dhein
• Name at least • 3 different types of mobile evidence data• 5 problems / limitations to mobile forensics• 3 possibilities for preventing remote accessing a mobile device
• Describe the different• types of device locks and how to handle them• types of memory and which information ca be retrieved from them• aquisition methods and when they have to be used• physical acquisition and how they are accomplished
• Explain the difficulties• about wear-leveling when dealing with flash memory• when retrieving inhomogenous data-sources / -formats• between the technical- and investigation point-of-view regarding mobile
forensics
Questions to check your knowledge
SS 2015, A. Dhein
36
Seite 36
71 / 672015 © A. Dhein
• Benenne mindestens • 3 unterschiedliche Typen mobiler Beweismittel / -Daten• 5 Probleme / Einschränkungen der Forensik an mobilen Endgeräten• 3 Möglichkeiten, einen Fernzugriff auf ein mobiles Endgerät zu unterbinden
• Beschreibe die unterschiedlichen • Gerätesperrtypen und wie sie zu behandeln sind• Speichertypen und welche Daten zu extrahieren sein können• Datensicherungsmöglichkeiten und wann welche anzuwenden ist• Möglichkeiten der physischen Datensicherung und wie sie durchzuführen
sind
• Erkläre die Schwierigkeiten• beim Wear-Leveling im Umgang mit Flashspeichern• beim extrahieren und aufbereiten inhomogener Datenquellen / -formaten• zwischen technischer- und ermittelnder Sicht bzgl. der mobilen Forensik
Questions to check your knowledge