Post on 08-Jun-2015
description
Mobile/Smart Phone Forensic
Watcharaphon Wongaphai Senior Information Security Instructor
GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant
GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F
ACIS Professional Center
Outline
1) Introduction to Mobile Forensic!
2) Forensic Analysis of iphone!
- JailBroken!
- iTune Backup files!
• What did it mean for disk forensics?!• Does it mean the same thing?!
• Mobile devices are volatile, by nature!– Real time clock changing in memory all the time!
– Acquiring SMS messages may change their status to “Read”!– Some tools run code on the device itself!!
• Our goal is to change as little as possible!– Perhaps disable automatic sync when using Blackberry Desktop
Manager, and disable conversion to local time in ABC Amber Converter!
Forensic Soundness
• Document the scene!
– Handle with care, and gloves!!
– For the Chain of Custody form, find the serial number!
– Don’t forget MicroSD cards!!
– Photograph the device where it is found!
– Document what is showing on the screen, if anything!
– Power concerns!
– Take cables and documentation!
Evidence Take-In and Chain of Custody
• Disable the radio!– How can you be sure it’s disabled?!
• Faraday isolation!– Not all products are created equal!!!– Usually causes the battery to be depleted more quickly!
• Use a “safe” SIM card!
• Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity!
• Exercise: Disable network connectivity on your own phone.!
Blocking Network Connectivity
!
• What!
– Phone call database!
– E-mail and memos!
– SMS/MMS!
– Internet and LAN access!
– Visited URLs and saved pages!
• Where!
– Location information!
!
• Who!
– Owner details and user accounts!
– Contacts and cohorts!
– Personalizations (wallpaper, ringtones)!
• When!
– Calendar items!
– File system metadata!
– Timestamps may not be immediately visible!
• Short message service (SMS)!
• Multimedia message service (MMS)!
• Instant messaging!
• Blackberry!
– PIN messages!
– Blackberry IM!
Messaging
• Downloaded images and web pages!
• Email!
• Visited URLs!
• History log!
• Browser cache!
Internet Activities
• Location-based applications!
– Loopt!
– Google Latitude!
– Yahoo! Fire Eagle!
– Citysense!
– LifeBlog!
– Facebook (Friends on Fire)!
– Foursqare!
– Twitter!
Location Tracking
• GPS coordinates embedded in Exif!
• Same Exif we talked about for disk forensics!
• This is often automatically added if the phone is GPS aware.!
GPS Embedded in Photos
• Past usage information!– Network service provider records!
– Look for paper bills!
• Detailed history of usage!– Date and duration of calls!
– Numbers called!
– SMS message sent (no content retained)!
• NSP maintains detailed records!– Calling IMSI and IMEI!
– Called IMSI and IMEI!
– Location: first and last cell!
– Charging details!
Think Outside the Device
Iphone Forensic with Jailbroken
Zdziarski Technique
• Step by Step!• Jailbreak!• Forensic Acquisition!
• SSH!• Create image by using dd command!
• Transfer image using netcat!
• Use scalpel to carving data!
SSH Connection
DD image via Netcat
Zdziarski Technique
• Example Command! andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2 root@192.168.0.2′s password: -sh-3.2# cd / -sh-3.2# umount -f /private/var -sh-3.2# mount -o ro /private/var -sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc 192.168.0.1 7000 andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./rdisk0s2 bs=4096
Bypass Passcode
DiskAid
iPhone Explorer
iPhone Explorer
Delete this file for bypass passcode
iPhone System path
What can be recovered ?
Contact
Calendar Event
SMS
Facebook Application
Geo-location Cache
Geo-location Cache
Geo-location Cache
Geo-location Cache
Iphone Forensic with iTune Backup files
SYNC and Backup
• After activation, when the iPhone is connected to the computer a sync will be conducted!• The user can define what is to be Synced to include:!
• Music!
• Photos!
• Ringtones!
• Contacts & Calendars!• Podcasts!
• Video!
• Third party applications!
• Third party applications can initiate the use of the iPhone as a file storage device!
SYNC and Backup
• Backup data location!• Windows XP!• C:\Documents and Settings\(username)\Application Data\Apple Computer
\MobileSync\Backup\!
• Windows 7!• C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\!
• Mac OS X!• /Users/(username)/Library/Application Support/MobileSync/Backup/!
SYNC and Backup
• Backup folder files!• Many .mdbackup files!• The name of the file is the SHA1 hash when backed up from the iPhone and the
data is seralized off the iPhone and stored as the backup file!
• Status.plist!• Status of last sync!
• Manifest.plist!• List of all files backed up, modification time and hash signature!
• Info.plist!• Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
.mdbackup files
• Safari History & Bookmarks!• Photos (phone & synced iPhoto)!
• Sent & Received SMS!• Calendar Events!
• Notes!
• Address Book Entries!• Call History!
• Cookies!• Google Map History!
• Email Account Settings!
• YouTube Last Search, Last Viewed & Bookmarks data!
Forensic Analysis Tool for Backup files
• iPhone Backup Extractor!
• iPhone Backup Analyzer!
• MobileSyncBrowser!
• MDBackupExtract!
• WOLF - Sixth Legion!
• Device Seizure - Paraben!
Unprotected Backup files
Protected Backup files
Protected Backup files
Elcomsoft Phone Password Breaker
• Brute-Force backup password with GPU!
Brute-Force Backup password
Keychain Explorer #1
Keychain Explorer #2
Keychain Explorer #2
Iphone Backup Extractor
Iphone Backup Analyzer
Iphone Backup Analyzer
Iphone Backup Analyzer
Copayright © 2012 TISA and its respective author (Thailand Information Security Association)
Please contact : varapong@acisonline.net
http://www.TISA.or.th