deftcon 2012 - alessandro rossetti - android forensics
DESCRIPTION
TRANSCRIPT
![Page 1: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/1.jpg)
![Page 2: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/2.jpg)
ArgomentiArgomentiArgomentiArgomenti
• Android?
• Android Forensics
• Caso pratico
![Page 3: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/3.jpg)
Android?
![Page 4: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/4.jpg)
www.android.com
2005 - Inizio Sviluppo
12/2011 - Release finale 4.03
Licenza: Apache 2.0
AndroidAndroidAndroidAndroidSistema operativo per dispositivi mobili
2008 - Release iniziale 1.0
Sorgente: FOSS
Linux Kernel (Monolitico)
![Page 5: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/5.jpg)
Diffusione esponziale
Gestione Gestione Gestione Gestione deglideglideglidegli aggiornamentiaggiornamentiaggiornamentiaggiornamenti
http://tinyurl.com/androidworm
Attacchi su misura
![Page 6: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/6.jpg)
StrutturaStrutturaStrutturaStrutturaclassicaclassicaclassicaclassica
![Page 7: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/7.jpg)
Principali VersioniPrincipali VersioniPrincipali VersioniPrincipali Versioni v2.2.x v2.2.x v2.2.x v2.2.x FroyoFroyoFroyoFroyo
v2.3.x v2.3.x v2.3.x v2.3.x GingerbreadGingerbreadGingerbreadGingerbread
v3.x v3.x v3.x v3.x HoneycombHoneycombHoneycombHoneycomb
v4.x v4.x v4.x v4.x IceIceIceIce CreamCreamCreamCream SandwichSandwichSandwichSandwich
![Page 8: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/8.jpg)
FilesystemFilesystemFilesystemFilesystem
YAFFS2
EXT4
VARI eseseses. . . . RFSRFSRFSRFS
2.3 Gingerbread2.3 Gingerbread2.3 Gingerbread2.3 Gingerbread
2.2 2.2 2.2 2.2 FroyoFroyoFroyoFroyo
![Page 9: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/9.jpg)
ApplicazioniApplicazioniApplicazioniApplicazioni
App App App App PreinstallatePreinstallatePreinstallatePreinstallate : /system/app
App App App App scaricatescaricatescaricatescaricate: /data/app
DatiDatiDatiDati applicazioniapplicazioniapplicazioniapplicazioni: /data/data, MicroSD
DB di DB di DB di DB di sistemasistemasistemasistema: /data/database
![Page 10: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/10.jpg)
Android Forensics
![Page 11: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/11.jpg)
Un tempo …Un tempo …Un tempo …Un tempo …
![Page 12: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/12.jpg)
![Page 13: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/13.jpg)
AFLOGICALAFLOGICALAFLOGICALAFLOGICALAcquisizione logicaAcquisizione logicaAcquisizione logicaAcquisizione logica
42 diversi tipi di datiIn pochi minuti
AndroidForensics.apkAndroidForensics.apkAndroidForensics.apkAndroidForensics.apk
![Page 14: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/14.jpg)
Acquisizione Acquisizione Acquisizione Acquisizione FisicaFisicaFisicaFisica
mount
Diritti Root
dd if=partizione of=/mnt/sdcard/nomefile.imgdd
su
Rilevazione numero partizioni
+ NB - VUOTA!!!
![Page 15: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/15.jpg)
Esempio
![Page 16: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/16.jpg)
Samsung Galaxy S i9000
AcquisizioneAcquisizioneAcquisizioneAcquisizioneSu nuova MICROSD
Tastiera virtuale
dd
ODIN + CF ROOT
Installazione demone SSH
Acquisizione «Standard» MicroSD
Hash delle immagini dd microSD con
![Page 17: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/17.jpg)
Samsung Galaxy S i9000
Analisi ClassicheAnalisi ClassicheAnalisi ClassicheAnalisi Classiche
Carving
Timeline
Database
Foto/video
Analisi SpecificheAnalisi SpecificheAnalisi SpecificheAnalisi Specifiche
Antiforensics ?
Correlazione informazioni
Applicazioni terze?
![Page 18: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/18.jpg)
Per Per Per Per ApprofondireApprofondireApprofondireApprofondire
![Page 19: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/19.jpg)
Deft?
![Page 20: DEFTCON 2012 - Alessandro Rossetti - Android Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052321/5538f4c8550346f02f8b490f/html5/thumbnails/20.jpg)
Grazie per Grazie per Grazie per Grazie per l’attenzionel’attenzionel’attenzionel’attenzione!!!!
Sandro Sandro Sandro Sandro RossettiRossettiRossettiRossetti