smarter forensics | it's time to get smarter! - phoning it in ......•the user will receive a...
TRANSCRIPT
Phoningitin:HeathertalksaboutSmartphoneForensics
HeatherMahalikCopyright@2018HeatherMahalik,AllRightsReserved
Aboutme…
• Director,ForensicEng.atManTechCARD• SANSSeniorInstructor• InvolvedwithInfoSec/Forensicsfor16years• Co-authorofFOR585• InstructorofFOR585andFOR500• Co-AuthorofPracticalMobileForensics(1st and2ndEditions)
• Momandawife• Dog,horse,wineandbourbonloverJ
Copyright@2018HeatherMahalik,AllRightsReserved
What’shappeninginsmartphonesecurity
• Fulldiskencryptionreadilyavailable– Morepeopleareusingit– Somedevicesrequireit&othersdon’task– Hurtsacquisition?
• Applicationsecurity– Howsecureisit?
• Toolsarefailingus• Cloudisstealingallthegoodstuff!!!
Copyright@2018HeatherMahalik,AllRightsReserved
Whatdoesthismean?
• Thestateofeverymobiledevicemayvary• Youneedtobepreparedforallsituations• Youwillneedmorethanonetool• Youwillneedtheskillstomanuallycarveforforensicartifacts
• Youmaybe100%blockedfromthedata
Copyright@2018HeatherMahalik,AllRightsReserved
Whatshouldyoudoaboutit
• Considertheissue– Encryption,locks,lackofparsingsupport…
• Considertoolsavailabletoyou– Commercial,opensourceandscripts
• Determineanactionplan• Makesureyouractionsdonotdestroyyourevidence!!!
Copyright@2018HeatherMahalik,AllRightsReserved
Acquisition
Copyright@2015HeatherMahalik,AllRightsReserved
Application“Protection”
EncodingSchemes
ASCII
Unicode
UTF-8
Base64
EncryptionAlgorithms
AES
Blowfish
Twofish
Serpent
Transforming/converting data into code
Copyright@2018HeatherMahalik,AllRightsReserved
Example:CyberDust(1)• Olderversionsclaimtoremovealluserdataupontransmission/receipt– Nevertrustclaimsoryourtool– ReviewAppfilesforuseractivity
Copyright@2018HeatherMahalik,AllRightsReserved
Example:CyberDust(2)
• MessagesareencodedtwiceusingBase64
Copyright@2018HeatherMahalik,AllRightsReserved
Example:Telegram(1)
Copyright@2018HeatherMahalik,AllRightsReserved
Example:Telegram(2)
Copyright@2018HeatherMahalik,AllRightsReserved
Willyourtoolcatchyouwhenyoufall?
• Willyoubeabletodefendtheevidence?
• Canyoufindthedata?• Whatifthetoolscontradictoneanother?
• Understandtheartifacts• Don’tknowjustenoughtobedangerous
Copyright@2018HeatherMahalik,AllRightsReserved
Whythetoolsfail…
• Thereissomuchdata• Toomanyapplications• OSupdates• Knowingwheretofindthisinformationisthehardestpart
• Knowinghowtheartifactwascreatediskey!
Copyright@2018HeatherMahalik,AllRightsReserved
Example:CallLogs(1)MagnetIEF/AXIOM
UFEDPhysicalAnalyzer
CallLogsLibrary/CallHistory/call_history.dbLibrary/CallHistory/callhistory.storedata (iOS 8,9&10)
Copyright@2018HeatherMahalik,AllRightsReserved
Example:CallLogs(2)Calllogs
iOS7
iOS8-11
Copyright@2018HeatherMahalik,AllRightsReserved
Wait…myphonewaswhere?
• Socialmediageo-tagging– Facebook– Google+– Twitter– Etc.
• Considerwhattracesareleftbehindwhentheuser“checks-in”andtagsalocation
Copyright@2018HeatherMahalik,AllRightsReserved
Butitwasreallyhere?• Diggingdeeperintotheapps
– Whataretheyreallydoing?
Copyright@2018HeatherMahalik,AllRightsReserved
TheCloudshaveopened…
Copyright@2015HeatherMahalik,AllRightsReserved
• Manytoolssupportcloudextraction
• Knowwhicheacharegoodatandselectaccordingly
• MultiplepullsmayforcetheusertoresettheirpasscodeforiCloud
20
CloudExtractionTechniques
21
ElcomsoftCloudeXplorer
•TheuserwillreceiveanotificationstatingthatanewdevicesignedintotheirGoogleaccount**Thisisnotrecommendedifyouareconductingcovertoperationsasyouhavetoassumetheuserwillknowyouwerethere!
22
Warning:TheUserWillBeAlerted!
23
ElcomsoftCloudeXplorer – NOTjustforAndroid
24
GoogleCloudArtifacts
AccessingiCloudData(1)
25
AccessingiCloudBackupData(2)
26
27
Reality:AppleMaps
Don’tfeartheunknown
• Createyourowntestdata– Iwishwecoulddoitallforyou,butIrunoutoftime
• Keepdiggingwhentheresultsdon’tmakesense
• Taketrainingtolearnthepropermethods
Copyright@2018HeatherMahalik,AllRightsReserved
About585…• Courselaunchedin2014• GASFCert– Vendorneutralavailabletoeveryone• Co-authoredbyHeatherMahalik,LeeCrognale andCindy
Murphy• Addressesthehardesttotackletopics(Encryption,Parsing,
Querydrafting,decompilingmalware,etc.)• CoversiOS,Android,3rd PartyApps,Malware,BlackBerry
10,WindowsPhoneandmore• Includes19hands-onlabs+1capstonechallengeof
currentsmartdevices(bonustakehomecase+6bonuslabs)
• IsvendorNEUTRAL– Weteachyouthebestmethods,nothowtousecommercialtools
Copyright@2018HeatherMahalik,AllRightsReserved
• https://github.com/hmahalik• FOR585 Advanced Smartphone Forensics• https://github.com/threeplanetssoftware/sqlite_miner• mac4n6.com/blog• smarterforensics.com/blog
– First the Grinch Now the Easter Bunny– How the Grinch Stole Apple Maps– Smartphone Acquisition: Adapt, Adjust and Get
Smarter!
References, Sources and Suggested Reading
FOR585AdvancedSmartphoneForensicsCourseAvailableAt:
FOR585.com/course
July:SANSFIRE,DC– Heather– SOLDOUT– SIMULCAST!August:NYC
Sept:LasVegas- SIMULCASTAvailableOct:Denver,CO
Nov:Miami,Austin&StockholmDec:DC&SaudiArabia- - SIMULCASTAvailable
OnDemand ANYTIME!
QUESTIONS?
[email protected]@HeatherMahalikBlog:for585.com/blog
Copyright@2018HeatherMahalik,AllRightsReserved