Download - Android forensics the hard work
![Page 1: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/1.jpg)
Android ForensicThe Hard Work
Por Luiz Vieira@HackProofing
![Page 2: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/2.jpg)
![Page 3: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/3.jpg)
Arquitetura
![Page 4: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/4.jpg)
Android SDK
• Desenvolvimento• Bibliotecas, APIs, Emulador,
Documentação e etc• Utilizada durante o processo de
investigação• Disponível para os 3 principais sistemas
operacionais
![Page 5: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/5.jpg)
![Page 6: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/6.jpg)
Android Virtual Device
![Page 7: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/7.jpg)
Identificação do Aparelho
• Quais dados preciso verificar?• Quais informações analisar?• Quais características são importantes?• Quais ferramentas serão necessárias?• Algum hardware em especial?
![Page 8: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/8.jpg)
Senha de acesso
![Page 9: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/9.jpg)
Tipos de Memórias
• RAM– Passwords– Encryption keys– Usernames– App data– Data from system processes and services
• NAND– File system
![Page 10: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/10.jpg)
Técnicas Forenses
• Identificação• Mídia Removível (SD Card)• Aquisição Lógica• Aquisição Física• Chip-Off
![Page 11: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/11.jpg)
Imagem Exata
![Page 12: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/12.jpg)
Ferramentas para Aquisição de Imagens
• FTK Imager• DD
• Atenção : – SD Card = Fat32 (sdcard.img)
– Outra partições do dispositivo: YASFF2(cache.img e userdata-qemu.img)
![Page 13: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/13.jpg)
Acesso como ROOT
• Utilização do ADB – Android Debug Bridge• Permite acesso como root à um shell do
dispositivo• Permite acesso aos arquivos *.img
![Page 14: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/14.jpg)
Informações de Interesse
/data/data/com.google.android.location/Cache de GeoLocalização
/data/data/com.google.android.providers.gmail/Gmail
/data/data/com.android.providers.browser/Dados do Browser
/data/data/com.android.providers.downloads/Downloads
/data/data/com.android.providers.telephon/SMS
/data/data/com.android.providers.calendar/ Calendário
/data/data/com.android.providers.contacts/ Contatos
LocalizaçãoDados
![Page 15: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/15.jpg)
Aquisição Lógica
• Acesso como ROOT• Modo USB ativo• Corremos o risco de alterar as evidências
http://code.google.com/p/android-forensics/
![Page 16: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/16.jpg)
Aquisição Física
• Live Forensic• Dump da memória física (RAM)• Na cadeia de volatilidade, essa deve ser a
primeira ação• Ferramentas:
– Memfetch � faz o dump de espaços específicos da memória
– DMD � módulo que permite o dump de memória física, incluindo o envio por TCP
![Page 17: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/17.jpg)
DMD
• Instalação e configuração do DMD:$ adb push dmd-evo.ko /sdcard/dmd.ko$ adb forward tcp:4444 tcp:4444$ adb shell$ su#
• Aquisição:– No dispositivo: # insmod dmd path=tcp:4444– Em um host: $ nc localhost 4444 > ram.dump
• Análise:– Volatility e seus plugins
![Page 18: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/18.jpg)
Outras Ferramentas
• Data Carving � Scalpel• Extração de Strings � Strings
• Análise de Estrutura de Arquivos � Hexeditor• Análise de Base de Dados � SQLite
• Timeline de Filesystem FAT32 � The Sleuth Kit
![Page 19: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/19.jpg)
Perguntas
![Page 20: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/20.jpg)
![Page 21: Android forensics the hard work](https://reader033.vdocuments.site/reader033/viewer/2022052907/558fc3c61a28ab8d318b4588/html5/thumbnails/21.jpg)
Contatos
Luiz Vieirahttp://hackproofing.blogspot.com
http://[email protected]
[email protected]@owasp.org