viaforensics-nadn chip forensics.pdf
TRANSCRIPT
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
1/13
David Weinstein
Senior Securi ty Engineer
viaForensics
T: +1 312-878-1100, M: 202-579-9267
Cyber Security Division
2012 Principal Investigators Meeting
10/10/2012
NAND/NOR Chip Forensics
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
2/13
viaForensics Overview
2
Digital securi ty and forensics, focus on mobile
viaExtractTM
forensic software liveForensicsSMcontinuous monitoring
Advanced forensics training and services
appSecureSMmobile security audits
Santoku Linux distro for mobile security andforensics analysis
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
3/13
Challenges
3
Significant data on mobile devices, hard togain access
Screen locks, passwords, encryption
Authentication (admissibility) of forensicimages
Meaningful reporting on diverse data sets
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
4/13
NAND Flash Memory
4
High potential for data recovery,
but difficult to image
No tool to create forensicallysound image (admissibility)
We created on-the-fly hashing
for image verification
Once data acquired, must reverse
engineer and then analyze
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
5/13
Android Fragmentation
5
Google 10/03/2011
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
6/13
6
Phase I
Develop forensically
sound flash write-blocker
On-the-fly hashing ofNAND dumps
Temporary rooting ofdevices
Phase II
Incorporate into
viaExtract product Support additional
devices (iOS, Windows)
Catalogue techniques
Mobile forensics training Push-button forensics
Solutions
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
7/13
Forensic Boot Image
Start early in the boot chain before
the system loads
Provide ADB root shell over USB
which can be used to image the
device
Do not mount anything, including
cache, to prevent any writes to
partitions
Devices with raw NAND flash and
wear leveling implemented in
software (YAFFS2) can be
prevented from overwriting deleted
data7
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
8/13
Cracking Encryption
8
Parse footer
Locate Salt and Encrypted Master
Key
Run a password guess throughPBKDF2 with salt, use resulting keyand IV to decrypt master key, useresulting master key to decrypt firstsector of encrypted image.
If password is correct, plain text willbe revealed
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
9/13
9
Cracking PINs takes seconds. Passwordsare usually short or follow patterns due tobeing the same as the lock screen
password
Cracking Encryption
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
10/13
Support More Devices
Increase number of
supported Android devices
Add support for iOS logical
and physical acquisitions
Add support for Windows
Phone, provided they can
reverse downward trend
10
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
11/13
Training and Automation
11
You are here
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
12/13
Santoku Linux
12
Free and open bootable Linux
distribution full of tools
Mobile Forensics Mobile App Security Testing
Mobile Malware Analysis
Project is a collaboration with other
mobile security and forensic pros
-
8/9/2019 Viaforensics-NADN Chip Forensics.pdf
13/13
Advanced Analytics
13
Must go beyond simple presentation of logical data
Canonicalization and provenance
Visualizations
Web 2.0 reporting interface
Export to standard formats for verification (DFXML) and additionalanalysis