open source mobile device forensics
DESCRIPTION
Open Source Mobile Device ForensicsTRANSCRIPT
-
2014, Basis Technology 1
Open Source Mobile Device Forensics
Heather Mahalik
-
2014, Basis Technology 2
iOS Devices Zdziarski Methods Boot Rom
Vulnerability Exploits Custom Ramdisk via
SSH The iPhone Data
Protection Tools iTunes
Android Devices viaLogical ADB Backup OSAF Toolkit Santoku DD
Not supported for all devices
JTAG/Chip-off
Device Acquisition
-
2014, Basis Technology 3
How old is the device?
Is the device locked? Is the device
damaged? Are you Law
Enforcement?
Considerations
-
2014, Basis Technology 4
LiME (Linux Memory Extractor) First tool to support full
memory captures of Android smartphones!
TCP dump or saved to SD card
Uses ADB
Android Memory Capture
-
2014, Basis Technology 5
iOS Devices iPhone Backup Analyzer iExplorer iBackupBot Scalpel SQLite Browser Plist Editor WhatsApp Extract
Contacts.sqlite and ChatStorage.sqlite
Manual examination Customized scripts
Android Devices Autopsy
Android Module WhatsApp Extract
wa.db and msgstore.db Scalpel SQLite Browser Hex Editor Anything capable of mounting
EXT FTK Imager Customized scripts Manual examination
Analytical Toolsto Name a Few
-
2014, Basis Technology 6
Commercial tools are expensive They still miss data They dont parse third party applications
completely They omit relevant databases when extracting
data They dont support all devices
Open Source tools See above!
Reality Check!
-
2014, Basis Technology 7
/private/var/mobile/library/Spotlight/com.apple.mobilesms/ smssearchindex.sqlite
Provides SMS message data Active and deleted messages Should be compared to sms.db May show traces of attachments (metadata)
*Not commonly parsed by any tool!
Example iOS Examination
-
2014, Basis Technology 8
GUI built on The Sleuth Kit Next version (v3.1.1) will include Android
module Customizable Complete analytical platform Android dumps can be loaded as normal disk
images or file folders
Autopsy
-
2014, Basis Technology 9
Android Examination
-
2014, Basis Technology 10
Parsed from Contacts2.db file Raw_contacts and ABPerson
Examining Contacts
-
2014, Basis Technology 11
Examining the Raw Contacts (1)
-
2014, Basis Technology 12
Examining the Raw Contacts (2)
-
2014, Basis Technology 13
Parses messages and chats from SMS, MMS and some third party applications
Parsing Messages and Chats
-
2014, Basis Technology 14
Encryption vs. Encoding Base64 decoder built into Autopsy Android
module
Encoding Built into Autopsy
-
2014, Basis Technology 15
Google Maps, Browser, Cache and EXIF location parsing
Geolocation Support
-
2014, Basis Technology 16
Geolocation Reporting
-
2014, Basis Technology 17
EXIF Parser
Graphics and Videos
Examining Multimedia Files
-
2014, Basis Technology 18
Active files shown in viewer
Deleted must be examined/recovered in Hex
Recovering Deleted SQLite Data
-
2014, Basis Technology 19
Mari DeGrazias SQLite Parser
Custom Scripts
-
2014, Basis Technology 20
http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf
www.az4n6.blogspot.com https://viaforensics.com/blog/ http://www.sleuthkit.org/ Practical Mobile Forensics Bommisetty,
Mahalik, Tamma www.smarterforensics.com https://code.google.com/p/lime-forensics/
References, Sources and Suggested Reading
-
2014, Basis Technology 21
Heather Mahalik Basis Technology
www.basistech.com [email protected] Twitter: @heathermahalik
Questions
Slide Number 1Slide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15Slide Number 16Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21