11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations...
Transcript of 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations...
11th National Investigations Symposium
Making the most of electronic data How Computer Forensics can assist
investigations
10 November 2016 David Sinden
Electronic Evidence Specialist
Introduction
10 years Computer Forensics 8 years private sector Global Fraud, Bribery and Corruption
cases Last 18 months at NSW ICAC
2
Objective
Insight into the wealth of electronic information available for investigations
How to make most of it and where it is located
Focus on Email and Mobile Phones Hints & Tips
3
Electronic Data Overview
Growing phenomenally • IBM – 2.5 exabytes (2 billion gigabytes) was
generated every day in 2012 • 90 per cent of the data in the world today has
been created in the last two years • World’s data volume expected to grow 40 per
cent per year, and 50 times by 2020
4
Electronic Data Growth
5
Electronic Data
More systems Interconnected Greater data sharing IoT devices – Cameras, Fridges etc. Car Infotainment Systems
6
Digital Forensic Challenges
Subjects wiser, cover trail App developers starting to use encryption Technology and platforms change at rapid
pace
7
Email Forensics
Corporate Email Systems
Microsoft Exchange/Outlook Lotus Domino/Notes Novell GroupWise
9
Email Applications
Outlook Express Windows Mail Mozilla Thunderbird Windows Live Mail Pegasus
10
Email Applications
Fox mail SeaMonkey Mail The Bat!
11
Apple Mac
Mail – eml, emlx Mbox Eudora Microsoft Entourage Outlook for Mac
Different storage formats
12
Microsoft Exchange/Outlook
EDB database – hierarchical • Public and Private Mail stores
Private contains user mailboxes Found on servers Tip: Should be dismounted before
collecting
13
Outlook Data Files
Found on local computer PST – Personal Storage Table OST – Offline Storage Table
• Synchronised copy downloaded to computer – can still read and compose messages if connection interrupted
• Restored messages are synchronised
14
Microsoft Exchange/Outlook
What happens when a user deletes a message?
Delete - Deleted items folder Soft delete – deleted items folder to
Recoverable Items folder. Also covers shift + Delete
15
Microsoft Exchange/Outlook
Dumpster – Recoverable items Retention Policy based Purge after 14 days (default), 28 days or
never!
16
Microsoft Exchange/Outlook Other ways to recover deleted emails? EDB, OST, PST are databases Carving looking for message structures
I still can’t find that deleted email?
17
Email Journaling Systems
MailMarshall
IronPort
18
Archiving Systems
Commvault, Enterprise Vault etc.. May separate attachments from emails Leave behind a stub file with a link Tip: Extracts don’t always provide all the
information – look for missing attachments
19
Tape Backups
Snapshot based Understand the backup schedule daily,
weekly, monthly Takes time to restore and fails often
20
Where is technology heading?
Cloud Service • Office 365 • Built in legal hold and discovery feature
Virtual Machines VM - Emulation Web based mail – difficult to see on a
local computer Mobile Device Email Apps
21
Mobile Forensics
Smartphone Evolution – 1994 IBM Simon
23
2000 – Ericsson R380
24
2002 – Palm Treo
25
2003 - Blackberry
26
2007
27
Smartphone Platforms
Android (Marshmallow, Nougat next) Apple iOS (10) Windows 10 Mobile Blackberry 10
All are enhancing security
28
Apple iOS
Interesting fact – non public code names • Mainly ski resorts
• 9.1 Boulder • 9.2 Castlerock • 9.3 Eagle • 10.0 Whitetail
29
http://www.imore.com/ios-version-codenames
Apple iOS
Protected by passcode – Simple V Complex
No Passcode? – Lockdown trust file from computer
30
iTunes Backups
Local PC and Cloud Copy of everything on device Automatic sync on computers with iTunes
software installed (unless disabled)
31
iTunes Backup Location
Mac: ~/Library/Application Support/MobileSync/Backup/ Windows XP: \Documents and
Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\ ...
Windows Vista, Windows 7,8 and 10: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
32
iTunes Backups
UDID Unique identifier
Matches folder name
33
iTunes Backups
Non readable format Uniquely named files 40 digit alphanumeric hex value no file
extension
34
iTunes Backups
SHA1 hash value of the file path appended to respective domain name and ‘-’
e.g.HomeDomain-Library/SMS/sms.db Consistent across phones unless apple
changes the architecture How to decode these filenames and the
data? 35
iTunes Backups
4 Metadata files
36
iTunes Backups
Info.plist – Device details – name, IMEI Manifest.mbdb – Info about all other files Manifest.plist – Passcode set, encrypted,
last backup computer name, date Status.plist – Details about the backup,
state, date and version
37
iTunes Backups
What about encrypted backups? Password only entered once and oft
forgotten
38
iTunes Backups
Attacks: brute force, dictionary… Word list from computer Acquire memory
39
Passwords….
40
Passwords
Apple Mac Keychain • Password management system • Stores passwords for applications, servers,
web sites, WiFi Passwords, even iTunes • Keychain Access GUI OS X • Encrypted normally password of the computer • Windows need alternative tools to view
41
Mac OS X Keychain App
42
iCloud
Cloud credentials recovered from phone or backup
Many tools that can acquire data from the cloud with credentials
Appropriate Legal authority required Where is the data even stored?
43
iTunes Backups
The iTunes Backup might have been
deleted, what now?
44
Volume Snapshot Service (VSS)
VSS – Volume Snapshot Service
• Backup feature included in Microsoft Windows • Vista, 7,8,10 and Server 2008, 2012
45
VSS
Right click volume (C) Select properties Previous Versions tab
46
VSS
47
VSS
48
Each backup can be viewed on machine it was created on
Third party tools can parse them Not all files backed up e.g. OST You might find iTunes backups that were
thought deleted
iTunes Backups
49
Tip: Delete button doesn’t appear to delete data
Other Challenges for Investigations
Non searchable documents • Optical Character Recognition (OCR) • OCR not perfect not brilliant with handwriting • Never assume every piece of data is
searchable
50
Other Challenges for Investigations
Screenshots SMS messages
51
Any questions?
52