© 2014, Basis Technology 1

Open Source Mobile Device Forensics

Heather Mahalik

© 2014, Basis Technology 2

iOS Devices • Zdziarski Methods • Boot Rom

Vulnerability Exploits – Custom Ramdisk via

SSH – The iPhone Data

Protection Tools • iTunes

Android Devices • viaLogical • ADB Backup • OSAF Toolkit • Santoku • DD

– Not supported for all devices

• JTAG/Chip-off

Device Acquisition

© 2014, Basis Technology 3

• How old is the device?

• Is the device locked? • Is the device

damaged? • Are you Law

Enforcement?

Considerations

© 2014, Basis Technology 4

• LiME (Linux Memory Extractor) – First tool to support full

memory captures of Android smartphones!

– TCP dump or saved to SD card

– Uses ADB

Android Memory Capture

© 2014, Basis Technology 5

iOS Devices • iPhone Backup Analyzer • iExplorer • iBackupBot • Scalpel • SQLite Browser • Plist Editor • WhatsApp Extract

– Contacts.sqlite and ChatStorage.sqlite

• Manual examination • Customized scripts

Android Devices • Autopsy

– Android Module • WhatsApp Extract

– wa.db and msgstore.db • Scalpel • SQLite Browser • Hex Editor • Anything capable of mounting

EXT • FTK Imager • Customized scripts • Manual examination

Analytical Tools…to Name a Few

© 2014, Basis Technology 6

• Commercial tools are expensive – They still miss data – They don’t parse third party applications

completely – They omit relevant databases when extracting

data – They don’t support all devices

• Open Source tools – See above!

Reality Check!

© 2014, Basis Technology 7

/private/var/mobile/library/Spotlight/com.apple.mobilesms/ – smssearchindex.sqlite

• Provides SMS message data – Active and deleted messages – Should be compared to sms.db – May show traces of attachments (metadata)

*Not commonly parsed by any tool!

Example – iOS Examination

© 2014, Basis Technology 8

• GUI built on The Sleuth Kit • Next version (v3.1.1) will include Android

module • Customizable • Complete analytical platform • Android dumps can be loaded as normal disk

images or file folders

Autopsy

© 2014, Basis Technology 9

Android Examination

© 2014, Basis Technology 10

• Parsed from Contacts2.db file – Raw_contacts and ABPerson

Examining Contacts

© 2014, Basis Technology 11

Examining the Raw Contacts (1)

© 2014, Basis Technology 12

Examining the Raw Contacts (2)

© 2014, Basis Technology 13

• Parses messages and chats from SMS, MMS and some third party applications

Parsing Messages and Chats

© 2014, Basis Technology 14

• Encryption vs. Encoding • Base64 decoder built into Autopsy Android

module

Encoding Built into Autopsy

© 2014, Basis Technology 15

• Google Maps, Browser, Cache and EXIF location parsing

Geolocation Support

© 2014, Basis Technology 16

Geolocation Reporting

© 2014, Basis Technology 17

• EXIF Parser

• Graphics and Videos

Examining Multimedia Files

© 2014, Basis Technology 18

• Active files shown in viewer

• Deleted must be examined/recovered in Hex

Recovering Deleted SQLite Data

© 2014, Basis Technology 19

• Mari DeGrazia’s SQLite Parser

Custom Scripts

© 2014, Basis Technology 20

• http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf

• www.az4n6.blogspot.com • https://viaforensics.com/blog/ • http://www.sleuthkit.org/ • Practical Mobile Forensics –Bommisetty,

Mahalik, Tamma • www.smarterforensics.com • https://code.google.com/p/lime-forensics/

References, Sources and Suggested Reading

© 2014, Basis Technology 21

Heather Mahalik Basis Technology

www.basistech.com hmahalik@basistech.com Twitter: @heathermahalik

Questions