SS 2015, A. Dhein

1

Seite 1

1 / 672015 © A. Dhein

Security for Mobile Applications (Prof. R. Grimm)

SM12: Opportunities and Limits of Modern Smartphone Forensics

A. Dhein Institute for Information Systems Research (M. Becker) K15, IuC Forensics, tech investigation Ass.University Campus Koblenz Criminhal Policedepartment Koblenz

2 / 672015 © A. Dhein

• Andreas Dhein• 37 years old• married, 2 Kids• live/work in Koblenz

• Diplom-Informatikerformer degree to MSc

• Employee at the Criminal Police Department of Koblenz• Member of Europeen FREETOOL Project (SQLiteProcessor)• Mac OS X / iPhone Forensics (Zdziarski, Hoog etc)• Geolocationbased Services (iPhoneTrackerLE, AndroidTrackerLE)

• Phd (work in progress) at the University of Koblenz-Landau

Before we start

@4rensiker4rensics@gmx.de

SS 2015, A. Dhein

2

Seite 2

3 / 672015 © A. Dhein

• How does Mobile Forensics fit into the field ofSecurity for Mobile Applications?

• You need to bypass Security restrictions

• Potentially everything you heard until now might help ☺

• BUT: 4n6 resides in the field of white hat hacking

Before we start

4 / 672015 © A. Dhein

Content

1. Introduction• Ubiquitous Mobile Computing• Oppurtunities due to Mobile Forensics• Limitations due to Diversity• different Systems• different Hardware• different Interfaces

2. Seizing mobile devices

3. Acquisition of as much as possible

4. Decoding Flash Images

5. Examination of Source Data

6. Reporting the Results

Disclaimer: The Icons and Logos used belong to their ori ginal ownersThanks to Peter Warnke (Cellebrite Germany) for providi ng lots of them

SS 2015, A. Dhein

3

Seite 3

5 / 672015 © A. Dhein

Mobile Phones Evolution

1990 2000 2010

Smartphones• Apple iPhone• Android Phones• Blackberry RIM• Windows Mobile

Phones

• Cellular Phones

• Code Division Multiple Access (CDMA)• Global Systems Mobile (GSM)• Integrated Digital Enhanced Network

(iDEN)

• Portable Digital/Data Assistants (PDA)

• Palm Pilots (Palm OS)• Pocket PC‘s

Introduction

6 / 672015 © A. Dhein

Motivation: Ubiquitous Mobile Smartphones

• Left: Smartphone market (still) growing• No more than 4% traditional „dumb“-phones sold in 2013

• Right: On the way into the „Post-PC-Era“• Smartphones/Tablets overcome Desktop/Notebook-PCs in 2011

Introduction

SS 2015, A. Dhein

4

Seite 4

7 / 672015 © A. Dhein

OPPORTUNITIESDUE TO MOBILE FORENSICS

In theory.......

Introduction

8 / 672015 © A. Dhein

• Smartphones are Personal Assistants• Contacts

• E-Mails

• SMS

• Calendar events

• Dictionaries, Notes

• Audio, Photos, Videos, Documents

• Last visited websites, Bookmarks

• Much more .....

• Smartphones are Status Symbols• „Criminals seem to need expensive gadgets“

Motivation: Own the smartphone, know everything...Introduction

SS 2015, A. Dhein

5

Seite 5

9 / 672015 © A. Dhein

• Smartphones are Personal Communicators• E-Mails

• SMS

• WhatsApp

• Facebook

• Skype

• Facetime

• And even more...

• Also deleted conversations...

• Smartphones are Personal Trackers• Assisted GPS based geolocation data „everywhere“

Motivation: Own the smartphone, know everything...

There is much more

Introduction

10 / 672015 © A. Dhein

LIMITATIONS/PROBLEMSIN MOBILE FORENSICS

The reality looks slightly different ☺

Introduction

SS 2015, A. Dhein

6

Seite 6

11 / 672015 © A. Dhein

Lots of different vendors / suppliersIntroduction

12 / 672015 © A. Dhein

Lots of different platformsIntroduction

SS 2015, A. Dhein

7

Seite 7

13 / 672015 © A. Dhein

Lots of different operating systemsIntroduction

14 / 672015 © A. Dhein

http://en.wikipedia.org/wiki/List_of_iOS_devices

Even one vendor has lots of different systems/versions

iPhone

iPad

Introduction

iPad mini

SS 2015, A. Dhein

8

Seite 8

15 / 672015 © A. Dhein

• Different hardware vendors• With different memory chips

• With different interfaces

• With different cables

• Different software versions• Every vendor brews it‘s own

Android derivate

• Many different software versions

• Android 2.x (froyo, gingerbread) still in use since Mai 2010

• Major differences in Android 4.x since Oct. 2011 (Sandwich, JellyBean, KitKat)

Bit worse: Even more differences on Android (Devices)Introduction

http://developer.android.com/about/dashboards/index.html

16 / 672015 © A. Dhein

And your are not yet at connection level ☺

nearly every device has a different interface, if at all

Dumbphones Smartphones

Mini-USB

Micro-USB

Samsung-Dock

iPhone/iPod/iPad-Dock

Standardization?

Introduction

SS 2015, A. Dhein

9

Seite 9

17 / 672015 © A. Dhein

Content

1. Introduction

2. Seizing mobile devices• Preview Content?!• Remote Wiping• Preserving Access• Passcode vs. PIN-Code

3. Acquisition of as much as possible

4. Decoding Flash Images

5. Examination of Source Data

6. Reporting the Results

18 / 672015 © A. Dhein

• Preview before Seizing ???• Possibility for incriminating evidences and direct accusation• Selection reduces evidence, speeds up general processing• Starting Apps alters data on the device

• Documentation• Location• Device state• Physical issues

• damages, broken displays, missing parts, etc.

• Seizure chargers and accessories

• Protection and Preservation of Evidence

General concerns (in the field)Seizure

SS 2015, A. Dhein

10

Seite 10

19 / 672015 © A. Dhein

• Available through Apple iCloud System Service• Wipe complete phone in less than a second• Irretrievable!!! Disconnect device from the internet!!!

Remote Wiping (free feature in iOS)

Detailed Information and more Screenshots: http://www.businessinsider.com/find-my-iphone-2011-10?op=1

Seizure

20 / 672015 © A. Dhein

• Android• Available through

Android Device Manager

• Turned off by defaulthas to be activated beforeloosing the device ☺

• Limited wiping features on SD-Cards

• Only 1st card; has to be mounted; only fast (not secure) erase

• Windows Mobile• Available through OWA

(Outlook Web Access)

Remote Wiping (Android 2.3+, Windows Mobile)Seizure

SS 2015, A. Dhein

11

Seite 11

21 / 672015 © A. Dhein

• Network Service Provider cooperation• NSPs could disable device from the network

• Jamming• Create temporary „dead zone“ to all cell phones• Violation of Telecommunication Act

• Shield bag• Good news: Aluminum foil will do the job ☺

• Problems• Battery drain due to increase of signal strength• Plugging charger to energy net acts like an antenna

• Solution• Forensic shielded bags with battery packs available

Prevent Internet Connection (Shielding/Isolation)Seizure

22 / 672015 © A. Dhein

• Turning off the device ????• Activate handset lock and/or PIN lock for the SIM

• Potentially making the device inaccessible

• So, what to do?• Never power off the device!!! Keep it charged!!!

• Disconnect from any wireless network!!!

1. Activate Airplane Mode

2. Deactivate Device Lock

3. Ask for SIM Code

Prevent Internet Connection (without tools)Seizure

SS 2015, A. Dhein

12

Seite 12

23 / 672015 © A. Dhein

• Legal base• §§ 161 (1), 163 (1) Code of Criminal Procedure (StPO)• §113 (1) S. 2 Telecommunication Act (TKG) (only inventory

data)• §100j Code of Criminal Procedure (StPO)

• Information helpful to identify owner• IMEI (International Mobile Equipment Identifier)

• Stored/printed on the Phone• Dial *#06# on the phone to get your IMEI number

• IMSI (International Mobile Subscriber Identity)• Stored on the SIM Card

• ICCID (integrated circuit card identifier)• Stored and printed on the SIM Card• Structure: 89 MCC IsID xxxxxxxxxx C

• What you get• SIM PIN/PUK to unlock the SIM-Card / Phone

Bypass SIM lock by asking NSPSeizure

24 / 672015 © A. Dhein

Difference between Passcode and SIM-PIN

• Passcode (Locks Device)• Numerical (iOS) simple to bruteforce

• Alphanumerical (iOS) bruteforce unsuccessful

• Patternbased (Android) numerical, no bf needed

• SIM-Code (Locks Network Access*)• Numerical

• Problems when Bruteforcing• Delay until next unlock increases

• Device completely locked up after x attempts

* Some phone models stay locked without correct SIM-Code

Seizure

SS 2015, A. Dhein

13

Seite 13

25 / 672015 © A. Dhein

Bypass Passcodes with Cellebrite UFED Physical Analyzer Seizure

26 / 672015 © A. Dhein

• Pattern file: /data/system/gesture.key• Lock sequence encrypted as SHA1 hash• Pattern stored as hex-values

• Generate SHA1-“look up table“ for 895824 numbers• from 1234 to 987654321 • keeping in mind

• you can only access neighbor digits

• Decoding the Passcode Pattern

• But fortunately not needed anyway ☺

Bypass Passcode (in Android)

http://articles.forensicfocus.com/2011/11/18/android-forensics-study-of-password-and-pattern-lock-protection/

0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0x78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0x12

0×06 0×04 0×01 0×02 0×05 0×08

LUT

7-5-2-3-6-9Pattern

SHA1

gesture.key

0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0x78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0x12 compare

1 2 3

4 5 6

7 8 9

7-5-2-3-6-9

Seizure

SS 2015, A. Dhein

14

Seite 14

27 / 672015 © A. Dhein

• Download AutomatedTools.zip from iosresearch.org

• Up to iPhone model 1303 (3Gs) iOS<4.x1. $./setup.sh

• Load firmware, patches, ROM-Image etc. from the internet2. $./boot-passcode.sh

• Put iPhone into DFU-Mode** (script will tell you)• Patch Kernel to execute unsigned bootloader

• Put iPhone into Recovery*** or DFU-Mode (script will tell you)• Boot prepared unsigned-ROM and automatically

• Remove passcode permanently

• Starting from iOS_4.x, iOS_5.x (multiplatform)1. $./recover-keys.sh

• bruteforces 4-digit passcode if set• Recovers encryption keys from the device• Decrypts encrypted passwords from the keychain

2. $./recover-raw.sh• ...

• But fortunatly not needed either to dump raw-/ filesystem-images ☺

Bypass Passcode (in iOS_3,4,5) Zdziarski*

** Device Firmware Upgrade – Mode (totally Black Screen), Transfer mode, which can be exploited (injectgreen,injectpois0n)*** Recovery – Mode (iTunes Symbol), Transfer mode, higher level, which can be exploited

* Access to iosresearch.org restricted to members of Law Enforcement agencies

Seizure

28 / 672015 © A. Dhein

Content

1. Introduction

2. Seizing mobile devices

3. Acquisition of as much as possible• Different Types of Storage• Different Types of Acquisition• Logical Backup• Physical NAND Dump• JTAG• Chip-Off• Forensic sound or not ?!

4. Decoding Flash Images

5. Examination of Source Data

6. Reporting the Results

Hynix H2JTDG2MBR 128 Gb (16 GB) NAND flash

mini-SIM micro-SIM nano-SIM

SS 2015, A. Dhein

15

Seite 15

29 / 672015 © A. Dhein

• General• 16-128 kb EEPROM*

• Content• Last Number Dialed (LDN) up to 10 numbers if at all• Phonebook/Contacts (ADN)• Text Messages (SMS)• Location Information (LOC) from last usage• Service related Information

• Acquisition• Forensic Card Reader 2

• Hierarchical filesystem• Master File (MF)

• Dedicated Files (DF)• Elementary Files (EF)

External: (U)SIM Card

* Electronic Erasable Programmable Read Only Memory

Acquisition

Smartphones DO NOT use SIM storage

30 / 672015 © A. Dhein

• General• 8MB – 1GB• SDHC* bis 64 GB

• Content• Pictures • Movies• Audio Files• Documents• Encrypted data

• Acquisition• Usually FAT16, FAT32 filesystems• Forensic harddisk imaging software

External: SD-Memory Card

* Secure Digital High Capacity

Acquisition

SS 2015, A. Dhein

16

Seite 16

31 / 672015 © A. Dhein

• General • Non-Volatile (meaning data preservation)• 16GB Single Level Cell (SLC)• 32GB Multiple Level Cell (MLC)• Solid-State (meaning no moving parts)

• Mainly two different design types• Thinner-Small-OutlinePackaging (TSOD)

• Pins on the sides of the chip• Ball-Grid-Array (BGA) or Land-Grid-Array (LGA)

• Pins below the chip (in an Array)

• Content• Not limited to any kind of data• Not always encrypted

• Acquisition• Difficult due to the fact, that no direct access to flash memory storage

components is intended; it‘s more like a storage system

Internal: Flash memory storage chips

(TSOD) (BGA)

(SLC) (MLC)

Acquisition

32 / 672015 © A. Dhein

1. Logical Backup (Gathering)• Using vendor solutions

• Copying files from the device

2. Filesystem Dump

3. Physical Dump• Physical NAND-dump

• Physical JTAG aquisition

• Physical Chip Off aquisition

• The intention is to access as much data as possible asquick as possible with altering as less data as possible

Different acquisition techniques

Com

plex

ityA

mou

ntof

data

Acquisition

SS 2015, A. Dhein

17

Seite 17

33 / 672015 © A. Dhein

• Apple iTunes• Samsung Kies• HTC sync• LG PC Suite• ...• MyPhoneExplorer (Android)• Titanium Backup (Android)• DiskAid, iPhoneExplorer (iOS)

• Of course every mobile forensic suite is able to retrievea vendor equivalent logical backup (mostly enhanced)

Logical Backup: Vendor/Software driven

Smartphone Desktop Computer

Server Client

Acquisition

34 / 672015 © A. Dhein

• Mounting in Windows/Linux/Mac• „ThumbDrive“

• Camera- / Scanner-Device

• Using developer tools (Android)• Enable ADB on phone

• Connect and recursive Copy

• Using AFC (iOS/iTunes)• Sync or backup with Apple iTunes

• Using iPhoneExplorer software

Logical Backup: Copying Files from the filesystemAcquisition

SS 2015, A. Dhein

18

Seite 18

35 / 672015 © A. Dhein

• We do not need the device anymore ☺

• Possible, but problems due to legal base

• Every major mobile platform offers the possibiliy to backuppersonal information and/or device data online • Apple iCloud https://www.icloud.com• Android various https://[drive|docs].google.com ...• Microsoft Windows-Live no web access (?)

• How to get the data from the cloud?• Syncing to „fresh“ device when assigning with ID/password• Downloading data directly?

• Apple: Downloading complete backup (EPB, iloot.py)• Android: Google Drive, Google Docs, Mails.... (not directly)• Windows Mobile: contacts, notes and SMS messages (EPB)

Logical Backup: Accessing Cloud BackupAcquisition

36 / 672015 © A. Dhein

• Elcomsoft Phone Breaker (EPB)• Primary aim is password breaking into Phones• Possibility to download / break into Cloud data

Logical Backup: Accessing iCloud BackupAcquisition

SS 2015, A. Dhein

19

Seite 19

37 / 672015 © A. Dhein

Logical Backup: demo output iloot.py getting sms.dbAcquisition

mbp:iloot-master administrator$ pip install -r requirements.txt[...]mbp:iloot-master administrator$ python iloot.py user@icloud.com password --item-types smsWorking with user@icloud.com : passwordOutput directory : outputAvailable Devices: 1===[ 0 ]===

UDID: 4d3e33cbc02578d[...]4f883f9d256Device: iPhone 4SSize: 1GLastUpdate: 2014-04-21 22:58:55

Downloading backup 4d3[...]256 to output/4d3[...]256Got OTA KeybagAvailable Snapshots: 67Listing snapshot 1...

Shifting offset: 5000Files in snapshot 4033Downloading 1 files due to filter

HomeDomain output/4d3[..]256/snapshot_1/HomeDomain/Library/SMS/sms.dbListing snapshot 66...

Shifting offset: 5000Files in snapshot 229Downloading 0 files due to filterListing snapshot 67...

Shifting offset: 5000Files in snapshot 280Downloading 1 files due to filter

HomeDomain output/4d3[...]256/snapshot_67/HomeDomain/Library/SMS/sms.db

• https://github.com/hackappcom/iloot

38 / 672015 © A. Dhein

• Pros• Fastest acquisition possible

• Cons• Limited access to files• No prior fileversions• No deleted files (although deleted entries in DBs)• Trusting the kernel!?

• Pros• Advanced access to filesystem (filesystem backup)• Direct access to flash memory storage (nanddump)• Physical access to flash memory chip (JTAG, Chip off)

• Cons• Expert level forensics > also meaning expensive ☺• Disassembling the device (JTAG)• Destroying the device (Chip-Off)• „Only one chance“ to obtain the data• „Digging in the dirt“-forensic (reverse engineering wear leveling)

Gathering or Dumping

Logi

cal G

athe

ring

Phy

sica

lDum

ping

Acquisition

SS 2015, A. Dhein

20

Seite 20

39 / 672015 © A. Dhein

• Use a System Service • in a way it was (not) meant to be ☺

• Find an Exploit and retrieve more data than normally• BUT it’s still a “call over the fence”, kernel-trusted �

Filesystem Dump

Device

Operating System Flash

Memory

Memory System

SD RAM

Extraction Device

AFCADB

Acquisition

40 / 672015 © A. Dhein

• Use a Boot-Loader unlock-manipulation• which is still „Software“-based

• No disassembling necessary• Trust your own kernel

Pseudo Physical Dump

Device

Operating System

Memory System

SD RAM

Extraction Device

FlashMemory

Bootloader

Acquisition

SS 2015, A. Dhein

21

Seite 21

41 / 672015 © A. Dhein

• Connect Service Points to RIFF box• which is „hardware“-based

• Most of the time disassembling necessary• Direct interaction with Memory System

JTAG Physical Dump

Device

Operating System

Memory System

SD RAM

Extraction Device

FlashMemory

RIFFBox

Acquisition

42 / 672015 © A. Dhein

JTAG Physical Dump

Disassamble the phone

Connect Jig & Power cables Connect to JTAG adapter

Acquisition

SS 2015, A. Dhein

22

Seite 22

43 / 672015 © A. Dhein

JTAG Physical Dump

Connect to target and dump ….

Acquisition

44 / 672015 © A. Dhein

• Remove Flash Memory chip• which is pure „hardware“-based

• Disassembling unavoidable• Direct access to Memory Chip

Chip-Off Physical Dump

Device

Operating System

Memory System

SD RAM

Extraction Device

FlashMemory

FlashMemory

Acquisition

SS 2015, A. Dhein

23

Seite 23

45 / 672015 © A. Dhein

Chip-Off Physical Dump

Removed Memory ChipReballed Chip

Acquisition

46 / 672015 © A. Dhein

Chip-Off Physical Dump

Chips are tiny and do differ a lot from each other

Acquisition

SS 2015, A. Dhein

24

Seite 24

47 / 672015 © A. Dhein

Chip-Off Physical Dump

Various chip programmers/readers and lots of different adapters needed

Acquisition

48 / 672015 © A. Dhein

Chip-Off Physical Dump

… to get this ☺

Acquisition

SS 2015, A. Dhein

25

Seite 25

49 / 672015 © A. Dhein

Forensic Sound or not ???

• Acquisition principles• C ompleteness

• I ntegrity

• A ccuracy

• Repeatability

• Help needed!!!• Cellebrite UFED

• Microsystemation XRY

• MobileEdit

• …

• Research & Development

• Quality Reviews & SupportUFED touch Ultimate

Acquisition

50 / 672015 © A. Dhein

• Not being done until now... at least I am not aware of

• RAM Dump should be possible in theory• Gain root privileges, dump memory device• dd if=/dev/mem out=mem.dd (probably will not work)• Problems: drained batteries; reboots during acquisition

• Will contain • Processes (e.g. for Malware analysis)• Passwords, Access tokens (things have to be kept up and running)• Communication artifacts, etc. (journaling file systems)

• Might contain volatile/temporary data• Geolocation data in Android (is no longer found in file space)

Volatile Memory information DumpAcquisition

SS 2015, A. Dhein

26

Seite 26

51 / 672015 © A. Dhein

Content

1. Introduction

2. Seizing mobile devices

3. Acquisition of as much as possible

4. Decoding Flash Images• Flash Memory Basics• Wear Level Decoding• Filesystem Decoding

• Android• iOS

5. Examination of Source Data

6. Reporting the Results

52 / 672015 © A. Dhein

Flash Memory – Overview

• Invented ~1980 by Dr. Fujio Masuoka (Toshiba)• The name “flash” was suggested because the erasing process reminded a

colleague of Dr. Masuoka of a camera flash

• Erasing causes (heat) damages to the Floating Gate isolator• Erase cycles limited to

• 10.000-100.000 (NOR)• up to 2.000.000 (NAND)

• NAND memory chips features• Cheap, small-factored• Fast serial access cycles• Fast read/write access• High storage capacity

• Problems to address when decoding flash memory dumps• Structure: Block-wise storage of pages which contain cells• Wear-leveling: Error management cause of limited cell-lifetime

Decoding

SS 2015, A. Dhein

27

Seite 27

53 / 672015 © A. Dhein

• Cells, Blocks and Pages

• Example: 256MB NAND chip• Page: 512 bytes (cells)

• Block: 16 Kbytes (32 pages)

• Total: 256 Mbyte (2048 Blocks)

Flash Memory – Structure

… 512 + 16 …

…32…

Page

Block

…

2048

…

256MBNAND chip

Cell

Decoding

54 / 672015 © A. Dhein

• Comparing NAND memory to traditional hard-drives• Read operation has (true) random access (faster)

• Only true for NOR flash memory, NAND still faster than orig HDDs• Write operation is cell-based (think of bits)

• Delete operation is also cell-based• Erase operation only on page-level (think of sektors)

• Erasing and Programming• Programming (i.e. writing) only possible on

„clean“ (erased) cells• Cleaning (erasing) cells only possible on „page“-base

• Summary• Before writing any data, cell has to be cleaned• Due to erase cycle limits wear leveling comes into place

Flash Memory – Read- / Write-Operations

SS 2015, A. Dhein

28

Seite 28

55 / 672015 © A. Dhein

• Error-Management• Someone has to take care of

good2bad sector allocation• Flash Translation Layer (FTL)• Wear levelling is proprietary

• And there may be moreproprietary „features“ �

• More and more vendors usehigher level „interfaces“ ☺

Flash Memory – Wear leveling

FMSS

Application

File System

FTL

Driver

Device

Operating System

Logical Sector#

Physical Sector#

Flash Memory Bank

GarbageCollection

------------------Error-

Management

AddressTranslation

Process Process

Filesystem (Ext, HFS)

Memory Chip

Decoding

56 / 672015 © A. Dhein

Filesystem Analysis

Motorola Proprietary

XSR MCU

I855 P2K

YaffsJFFS2

SymbianFS EFS2

QCPDCT4

OSE

EXT4

Computers Mobiles

EXT4

(*) Fortunately the file system layout in modern Smartphone OS is UNIXoid most of the time

FAT NTFS

HFSExt3/4

Decoding

SS 2015, A. Dhein

29

Seite 29

57 / 672015 © A. Dhein

• Android followslinux mounting

• /dev/block/mtdblock? (YAFFS)(Memory Technology Devices)

• /mnt/ (ext4)

But what really interests us• /data/data (root-privileges are required)

• subdirectories per application with „userdata“• SQLite databases• proprietary bytestreams

Other resources• /sdcard (old) /mnt/[0|1] /mnt/ext/SD

• Better examine apart from the device (no root access required)• May be secured (obfuscation, encryption)

Directories in AndroidDecoding

58 / 672015 © A. Dhein

• Apps in iOS are sandboxed, i.e.• Every App resides in one directory

• Data storage folders are is limited to• Documents

• Databases• Plists• Images• Pdfs• …

• Library

• Tmp• e.g. web-cached data

Sandbox directories in iOSDecoding

SS 2015, A. Dhein

30

Seite 30

59 / 672015 © A. Dhein

sms.db part Csms.db part Csms.db part C

Summary: Steps in Decoding

D

A

C

B

H

E

F

G

NAND Device

MBR

Partition 1

Partition 2

Partition

Boot Recordsms.db part C

sms.db part A

sms.db part B

pb.db part Bpb.db part Ipb.db part H

pb.db part Cpb.db part Apb.db part Epb.db part D

pb.db part Apb.db part Fpb.db part Gpb.db part J

File

sms4sms3sms1sms2

Record

Physical Filesystem Logical Report

FTL

Decoding

60 / 672015 © A. Dhein

Content

1. Introduction

2. Seizing mobile devices

3. Acquisition of as much as possible

4. Decoding Flash Images

5. Examination of Source Data• Different Sources

• txt, XML, Plists, SQLite, Binary

• Different Formats• Timestamps, Flags, etc

6. Reporting the Results

SS 2015, A. Dhein

31

Seite 31

61 / 672015 © A. Dhein

• Databases• SQLite3

• Serverless, file-based database system storage• Supported by various mobile core frameworks• Database connection software/driver needed• Sometimes hard to interpret / “join” different tables

• Textfiles• XML

• Dynamic tag-based description files• Common for configuration files• Hard to put into fixed width tables (e.g. XLS)

• PLists• Like XML files, common for Apple devices (type might be binary rather than text)

• CSV• Not very common on devices themselves, but as export-source to be examined, processed

after data extraction from the mobile phone

• Binary files• Mostly proprietary formats, sometimes pure byte-streams• Have to be decoded prior to examination• Sometimes PLists are in binary format to decrease file size

Inhomogeneous SourcesExamination

62 / 672015 © A. Dhein

• Different time formats, e.g.• in seconds since 01.01.1970 00:00:00 UTC (Unix timestamp) very popular• in milliseconds since 01.01.1970 00:00:00 UTC• in microseconds since 01.01.1970 00:00:00 UTC (PRTime) e.g. Mozilla Firefox• in milliseconds since 01.01.1601 00:00:00 UTC (Webkit-Time) e.g. Google Chrome• in seconds since 01.01.2001 00:00:00 UTC (CFAbsoluteTime) typical for Apple

• Specific flags e.g.• 0 = no / 1 = yes• odd = out / even = in (e.g. found in iOS sms.db)

• Software specific types e.g.• Mozilla Firefox (-> visit-types, reference)

• Different formatting stuff, e.g.• Line breaks (-> problem when exporting to/from CSV-textfiles)• Html tags (-> unpleasantly to read)

Inhomogeneous FormatsExamination

SS 2015, A. Dhein

32

Seite 32

63 / 672015 © A. Dhein

Content

1. Introduction

2. Seizing mobile devices

3. Acquisition of as much as possible

4. Decoding Flash Images

5. Examination of Source Data

6. Reporting the Results• Technical vs. Investigation

Presentation• Report Management• Report Viewer

64 / 672015 © A. Dhein

Different Points of Views

• Technical (preservation)• Do not alter data when

extracting-> stay forensic-sound

• Leave data as it is to prevent processing-errors

• Pass everything to the investigator

• Stay digital rather than printing on paper >1500pgs

• Investigation (demand)• Extract data, even if this

means altering data

• Process data to make it “readable”

• Please only provide “hits”

• “A report please!!!!”

Reporting

SS 2015, A. Dhein

33

Seite 33

65 / 672015 © A. Dhein

• Phone dump• Original Data• raw-Images (dd, bin, e01)

• Exported data• Exported Data• Due to the data request

• Processed data• Report• CSV, Excel, pdf, html, XML, docx

• Final report• Summary• Where to find important data

Report ManagementReporting

InputInput ProcessingProcessing OutputOutput

66 / 672015 © A. Dhein

• Present data e.g. on a Terminal Server or burned on optical-media in a (stand-alone) dedicated application

• Investigator can refine data • Focus on specific artifacts (e.g. chats, log-files, e-Mails, etc.)• Focus on specific media (pictures, videos, audio-memos)• Search with key-words (produce hits)• Filter with key-words (reduce data output)

• But: German law is demanding for paper evidence• So: print a report / burn report on CD

• Problems• Exported Data to large to fit on CD/DVD… • Potential Malware within police network (concerning viewer)

Report Viewer (Outlook) Reporting

SS 2015, A. Dhein

34

Seite 34

67 / 672015 © A. Dhein

• Introduction• Many opportunities due to mobile forensics investigating crime, but also limits• Many different hardware models and operating systems

• Seizing mobile devices• Many possibilities to do things „wrong“

e.g. when seizing, not noting passcodes/SIM-codes

• Aquisition of as much as possible• Many aproaches to aquire evidences; Problems to choose the right one

e.g. vendor driven, logical, physical

• Decoding Flash Images• Many things you need to understand, when doing mobile investigations

e.g. FTL-decoding

• Examination of Source Data• Many different sources of evidence data to be found on mobile devices

e.g. SQLite, Bytestreams, pictures, music, videos, config-files, etc.see tomorrow ☺

• Reporting the results• Different points of view (technical vs investigation)

Summary: What we‘ve learnt

Being part of theJustice League

68 / 672015 © A. Dhein

• Warnke12: Trends in der Forensik von Mobiltelefonen. Peter Warnke, Cellebrite GmbH, http://www.anwendertag-forensik.de/content/dam/anwendertag-forensik/de/documents/2012/Vortrag_Warnke.pdf [18.09.2012]

• Punja08: Mobile Device Analysis. Shafik G. Punja & Richard P. Mislan, http://www.ssddfj.org/papers/SSDDFJ_V2_1_Punja_Mislan.pdf [1.6.2008]

• FTL09: A survey of Flash Translation Layer. Tae-Sun Chung et al., http://idke.ruc.edu.cn/people/dazhou/Papers/AsurveyFlash-JSA.pdf, [17.04.2009]

• Swauger12: Chip-Off Forensics. Jim Swauger, http://www.binaryintel.com/wp-content/uploads/2012/05/Chip-Off_Forensics_Article.pdf, [02.2011]

• Schatz12: Android Forensics Deep Dive. Dr. Bradly Schatz, http://www.schatzforensic.com.au/presentations [2012]

• CENSE12: Introduction to Flash Memory. Roberto Bez et al. paper from CENSE, http://www.cense.iisc.ernet.in/academics/Binder-Nonvolatile1.pdf [2012]

• SIMSON11: Android Forensics. Simson L. Garfinkel. http://simson.net/ref/2011/2011-07-12%20Android%20Forensics.pdf [12.07.2011]

References [all links checked on 18.05.2013]

SS 2015, A. Dhein

35

Seite 35

69 / 672015 © A. Dhein

• Oxygen11: Android Forensics Study of Password and Pattern Lock Protection. Oleg Fedorov, http://articles.forensicfocus.com/2011/11/18/android-forensics-study-of-password-and-pattern-lock-protection, [18.11.2011]

• Zdziarski13: iOS Forensic Investigative Methods. Jonathan Zdziarski, http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf, [13.05.2013]

• ifixit12: iPhone 5 teardown. Ifixit, http://www.ifixit.com/Teardown/iPhone+5+Teardown/10525/3, [12.9.2012]

• Gilleland: Processing iPhones. Richard Gilleland, http://cryptocomb.org/Sacramento%20Police%20Department%20-%20Processing%20Iphones.pdf, [x.x.2010?]

• 8051FAQ: What is NAND flash memory. Toshiba, http://www.8051faq.com.cn/download/nand-toshiba.pdf, [03.2003]

References of Examples [all links checked on 25.05. 2013]

70 / 672015 © A. Dhein

• Name at least • 3 different types of mobile evidence data• 5 problems / limitations to mobile forensics• 3 possibilities for preventing remote accessing a mobile device

• Describe the different• types of device locks and how to handle them• types of memory and which information ca be retrieved from them• aquisition methods and when they have to be used• physical acquisition and how they are accomplished

• Explain the difficulties• about wear-leveling when dealing with flash memory• when retrieving inhomogenous data-sources / -formats• between the technical- and investigation point-of-view regarding mobile

forensics

Questions to check your knowledge

SS 2015, A. Dhein

36

Seite 36

71 / 672015 © A. Dhein

• Benenne mindestens • 3 unterschiedliche Typen mobiler Beweismittel / -Daten• 5 Probleme / Einschränkungen der Forensik an mobilen Endgeräten• 3 Möglichkeiten, einen Fernzugriff auf ein mobiles Endgerät zu unterbinden

• Beschreibe die unterschiedlichen • Gerätesperrtypen und wie sie zu behandeln sind• Speichertypen und welche Daten zu extrahieren sein können• Datensicherungsmöglichkeiten und wann welche anzuwenden ist• Möglichkeiten der physischen Datensicherung und wie sie durchzuführen

sind

• Erkläre die Schwierigkeiten• beim Wear-Leveling im Umgang mit Flashspeichern• beim extrahieren und aufbereiten inhomogener Datenquellen / -formaten• zwischen technischer- und ermittelnder Sicht bzgl. der mobilen Forensik

Questions to check your knowledge