Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported...
Transcript of Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported...
cmdLabs>
Mobile Device Forensics Essentials
Everything you need to know but were afraid to ask!
Eoghan [email protected]
cmdLabs>
Pervasive Computing
• Billions of devices worldwide– China (540+ million)– Europe (400+ million)– India (360 million)– United States (270 million)
• People carrying multiple devices
cmdLabs>
Mobile Misuse and Malware
• Unauthorized access– Bluetooth hacking– Spyware– IPv6
• Eavesdropping on communications• Tracking device location• Server reconfiguration• Access to desktop sync/backups
cmdLabs>
Categories of Evidence
• Who– Owner details and
user accounts– Contacts and cohorts– Personalization
(wallpaper, ringtones)• When
– Calendar items– File system metadata– Timestamps may not
be immediately visible
• What– Phone call database– E-mail and memos– SMS / MMS– Internet and LAN
access– Visited URLs and
saved pages• Where
– Location information
cmdLabs>
Case: Murder
• John Gaumer– Met Josie Brown on Myspace– Arranged a date and killed her
• Victim’s phone provided clues– Last location contradicted Gaumer– Accidental voicemail from Gaumer’s phone– “thumping noises, shouting and brief bursts of
a woman’s muffled screams”
cmdLabs>
GPS Remnants
• Cached map queries– Traffic or social networking applications
• GPS coordinates embedded in Exif
N35 deg 36 'E139 deg 41'
cmdLabs>
Investigation Dictates Goals
• Logical acquisition may be sufficient– Items from AT or proprietary commands– User backup utilities
• Software agent using device API• Physical acquisition
– Need to recover lock code– Need to recover deleted data
• Whatever can be acquired…– Should be complete and accurate
cmdLabs>
In-Field Challenges
• No data cable– Try Bluetooth
• Lock codes• Unsupported device
– Select a similar model– Manual examination
• Forensic tool glitch
cmdLabs>
Logical Acquistion
• Extraction of data seen by the user on the device
• Does not acquire deleted data
• Even forensic tools may not capture all logical data
cmdLabs>
Example: Failed Acquisition (iDEN)
• You can’t spell evidence without “iDEN”– Videos/photos visible on device
• Cellebrite– Phonebook only
• Paraben acquisition errors– Flex: “Unknown packet”– User space
• “Unknown Crap Signature”
cmdLabs>
Motorola iDEN Backup
cmdLabs>
Example of Tool Limitations
• Cellebrite
• .XRY
cmdLabs>
Example of Tool Limitations
• BitPim
• ForensicMobile
cmdLabs>
Lessons Learned
• Forensic practitioners– Non-forensic tool may recover more data…– Or not!
• Forensic tool developers– State what level of support up front– Get the basics right first– Try to be consistent
cmdLabs>
Where do we draw the line?
• Microsoft ActiveSync– Interacts with device
and alters system• Flash & Backup
– Reset home screen photo on test device
• Jailbreak– Modifies the device
• Remote access– Sync to BES server
cmdLabs>
Recovering Unlock Codes
• User manual– Default lock code– Security bypass code
• Motorola SEEM– P2K Commander– BitPim
• Some CDMA forensic tools– ForensicMobile
1234
cmdLabs>
Forensic Acquisition of Windows Mobile 6
How complete is your analysis if…• Your software agent can’t execute
– Won’t run unsigned applications• Important files are empty
– Files locked by the operating system • Some tools only acquire limited items• Your tools don’t understand the data
– Proprietary database format
cmdLabs>
WM6: Failed Acquisition
• Software agent advantages– Access to more data– Control changes– Known impact
• Software agent won’t run– Can change Registry value
cmdLabs>
WM6: Locked Files are Empty
cmdLabs>
WM6: Varying Results with Different Tools
• Cellebrite– Contacts, images, videos, ringtones
• Paraben– Some files, deleted filenames
• .XRY– SMS, call logs, images, videos…
• XACT – Entire FAT volume– Using Flash Abstraction Layer
cmdLabs>
Lesson Learned
• Forensic practitioners– Non-forensic tools are less effective– Forensic tools provide widely varying results
• Forensic tool developers– Be clear about what is acquired– Don’t delete the agent afterwards
cmdLabs>
Flasher Boxes
• Designed to update flash memory– Twister– HWK– UFS3– SHU box– JAF box
• Cables!
cmdLabs>
Twister & SaraSoft
cmdLabs>
Beware of Overwriting Evidence
• Sarasoft– Designed for flashing
cmdLabs>
Limited Models and Firmware
• Nokia 6230– Some firmware does
not support direct memory access
• Twister box– Rd MEM error– Rd PM success
cmdLabs>
Example: Deleted Photos (Samsung)
cmdLabs>
Example: Deleted Text Messages (Motorola)
cmdLabs>
Bomb Investigation (Alphabet Soup)
IKEA• IED• No SIM• IMSI in memory• NSPs have CDRs
cmdLabs>
WM6: Interpreting Data (FAT & EDB)
cmdLabs>
WM6: Interpreting Data using Emulator
• Mount acquired file• Examine details• Call history example
– Log of recent calls– Drill down for details
cmdLabs>
Keyword Searching
• ASCII and Unicode• Regular expressions• Nibble reversed format• 7-bit encoded
BKForensics CPAextracting e-mail
addresses & URLsfrom Samsungmemory dump
cmdLabs>
SMS 7-bit EncodingMAIN Success Connected to Motorola USB Modem [COM11]MAIN Success Starting process of FLASHDUMP (4.10)FLASHDUMP Success Connecting…FLASHDUMP Success Firmware R452F1_G_08.05.04RFLASHDUMP Success Flex GSTCPRIRTMB01NA097FLASHDUMP Success Boot Loader 0x0ac3FLASHDUMP Success Installing Flash LoaderFLASHDUMP Success Flash Loader ConnectedFLASHDUMP Success Reading 64MB FLASHFLASHDUMP Success Reading 10000000-1000FFFF,BootFLASHDUMP Success Reading 10010000-1001FFFF,PDSFLASHDUMP Success Reading 10020000-1003FFFFFLASHDUMP Success Reading 10040000-10091FFF,DSPFLASHDUMP Success Reading 10092000-115DFFFF,FirmwareFLASHDUMP Success Reading 115E0000-1185FFFF,DRMFLASHDUMP Success Reading 11860000-11ABFFFF,LangPackFLASHDUMP Success Reading 11AC0000-13F5FFFF,FlexFLASHDUMP Success Reading 13F60000-13F7FFFFFLASHDUMP Success Reading 13F80000-13F9FFFF,DigSigFLASHDUMP Success Reading 13FA0000-13FDFFFFFLASHDUMP Success Reading 13FE0000-13FE07FF,DigSigFLASHDUMP Success Reading 13FE0800-13FFFFFFFLASHDUMP Success Saved 67108864 Bytes from 10000000-13FFFFFFFLASHDUMP Success Totally Saved 67108864 Bytes from FLASH
cmdLabs>
File Carving
• Foremost– JFIF = 0xFFD8FFE0– Exif = 0xFFD8FFE1
• Beware of Samsung JPG header– 0xFFD8FFE3
cmdLabs>
Future of Physical Acquisition
• JTAG interface– Test circuit– Read flash memory– Disabled by some manufacturers
• Direct chip access
cmdLabs>
What to Do?
• Validate results with multiple tools• Publish tool evaluation and comparison• Teach forensic examiners
– How the underlying technology works– How to work around barriers and failures
• Improve physical acquisition and analysis– Transition from Flasher boxes– Facilitate access to JTAG
cmdLabs>
Upcoming Training
SANS Mobile Device Forensics• July 27-31: Baltimore
– Debut discount: $1,750 (50%)• Sept 16-20: San Diego
See www.cmdLabs.com for details