open source mobile device forensics · 2019-10-29 · © 2014, basis technology 1 open source...
TRANSCRIPT
![Page 1: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/1.jpg)
© 2014, Basis Technology 1
Open Source Mobile Device Forensics
Heather Mahalik
![Page 2: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/2.jpg)
© 2014, Basis Technology 2
iOS Devices • Zdziarski Methods • Boot Rom
Vulnerability Exploits – Custom Ramdisk via
SSH – The iPhone Data
Protection Tools • iTunes
Android Devices • viaLogical • ADB Backup • OSAF Toolkit • Santoku • DD
– Not supported for all devices
• JTAG/Chip-off
Device Acquisition
![Page 3: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/3.jpg)
© 2014, Basis Technology 3
• How old is the device?
• Is the device locked? • Is the device
damaged? • Are you Law
Enforcement?
Considerations
![Page 4: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/4.jpg)
© 2014, Basis Technology 4
• LiME (Linux Memory Extractor) – First tool to support full
memory captures of Android smartphones!
– TCP dump or saved to SD card
– Uses ADB
Android Memory Capture
![Page 5: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/5.jpg)
© 2014, Basis Technology 5
iOS Devices • iPhone Backup Analyzer • iExplorer • iBackupBot • Scalpel • SQLite Browser • Plist Editor • WhatsApp Extract
– Contacts.sqlite and ChatStorage.sqlite
• Manual examination • Customized scripts
Android Devices • Autopsy
– Android Module • WhatsApp Extract
– wa.db and msgstore.db • Scalpel • SQLite Browser • Hex Editor • Anything capable of mounting
EXT • FTK Imager • Customized scripts • Manual examination
Analytical Tools…to Name a Few
![Page 6: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/6.jpg)
© 2014, Basis Technology 6
• Commercial tools are expensive – They still miss data – They don’t parse third party applications
completely – They omit relevant databases when extracting
data – They don’t support all devices
• Open Source tools – See above!
Reality Check!
![Page 7: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/7.jpg)
© 2014, Basis Technology 7
/private/var/mobile/library/Spotlight/com.apple.mobilesms/ – smssearchindex.sqlite
• Provides SMS message data – Active and deleted messages – Should be compared to sms.db – May show traces of attachments (metadata)
*Not commonly parsed by any tool!
Example – iOS Examination
![Page 8: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/8.jpg)
© 2014, Basis Technology 8
• GUI built on The Sleuth Kit • Next version (v3.1.1) will include Android
module • Customizable • Complete analytical platform • Android dumps can be loaded as normal disk
images or file folders
Autopsy
![Page 9: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/9.jpg)
© 2014, Basis Technology 9
Android Examination
![Page 10: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/10.jpg)
© 2014, Basis Technology 10
• Parsed from Contacts2.db file – Raw_contacts and ABPerson
Examining Contacts
![Page 11: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/11.jpg)
© 2014, Basis Technology 11
Examining the Raw Contacts (1)
![Page 12: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/12.jpg)
© 2014, Basis Technology 12
Examining the Raw Contacts (2)
![Page 13: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/13.jpg)
© 2014, Basis Technology 13
• Parses messages and chats from SMS, MMS and some third party applications
Parsing Messages and Chats
![Page 14: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/14.jpg)
© 2014, Basis Technology 14
• Encryption vs. Encoding • Base64 decoder built into Autopsy Android
module
Encoding Built into Autopsy
![Page 15: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/15.jpg)
© 2014, Basis Technology 15
• Google Maps, Browser, Cache and EXIF location parsing
Geolocation Support
![Page 16: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/16.jpg)
© 2014, Basis Technology 16
Geolocation Reporting
![Page 17: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/17.jpg)
© 2014, Basis Technology 17
• EXIF Parser
• Graphics and Videos
Examining Multimedia Files
![Page 18: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/18.jpg)
© 2014, Basis Technology 18
• Active files shown in viewer
• Deleted must be examined/recovered in Hex
Recovering Deleted SQLite Data
![Page 19: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/19.jpg)
© 2014, Basis Technology 19
• Mari DeGrazia’s SQLite Parser
Custom Scripts
![Page 20: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/20.jpg)
© 2014, Basis Technology 20
• http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf
• www.az4n6.blogspot.com • https://viaforensics.com/blog/ • http://www.sleuthkit.org/ • Practical Mobile Forensics –Bommisetty,
Mahalik, Tamma • www.smarterforensics.com • https://code.google.com/p/lime-forensics/
References, Sources and Suggested Reading
![Page 21: Open Source Mobile Device Forensics · 2019-10-29 · © 2014, Basis Technology 1 Open Source Mobile Device Forensics . Heather Mahalik](https://reader035.vdocuments.site/reader035/viewer/2022063006/5fb631dbfe2822508c7c1889/html5/thumbnails/21.jpg)
© 2014, Basis Technology 21
Heather Mahalik Basis Technology
www.basistech.com [email protected] Twitter: @heathermahalik
Questions