Android Forensics - How the police investigates your device
-
Upload
marius-florian-mailat -
Category
Mobile
-
view
320 -
download
8
Transcript of Android Forensics - How the police investigates your device
![Page 1: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/1.jpg)
how the Police investigates
your Device ?
2015.06.04 Droidcon Berlin, MARIUS MAILAT
Android forensics
![Page 2: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/2.jpg)
Who is Marius?
CTO - APPsrise->winner of best of mobile award 20141
2
3
4
since 2015 Google Developer Expert - android
trained over 500 developerS on android topics
FOUNDER of ANDROID DEVELOPER COMMUNITY - ANDROIDER
![Page 3: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/3.jpg)
Agenda
![Page 4: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/4.jpg)
Agenda
MOTIVATION, why this crazy topic?1
2
3
4
ANDROID INTERNAL PLATFORM.
ANDROID FORENSICS - HOW TO extract DATA.
ANDROID ANTi-forensics - How to protect your data.
![Page 5: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/5.jpg)
Why this
CRAZYtopic?
![Page 6: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/6.jpg)
I STILL CODE ANDROID
![Page 7: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/7.jpg)
Android TV
![Page 8: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/8.jpg)
Android AUTO
![Page 9: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/9.jpg)
ANDROID IN DIGITAL SIGNAGE
![Page 10: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/10.jpg)
Android WEAR
![Page 11: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/11.jpg)
Still not convinced?
![Page 12: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/12.jpg)
Hero of the day: MEIZU MX3 DEVICE
amazing CHINA
8 Million PREORDERS
CLAIMSOrigin DESCRIPTIONpopular Android phone BASED on FLYME OS
![Page 13: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/13.jpg)
The phone is sniffing THE WEB TRAFFICSinMEIZU MX APPS sins
XXX: https://member.meizu.com/oauth/access_tokenXXX: x_auth_sn=351BBJJWLZW3&x_auth_mode=sn_authXXX: oauth_token=2d736772c19b250f28dad1090e9b761013089651489596881& oauth_token_secret=86b4a5920134018a52e00814e2303d51&user_id=323817928371&user_name=MariusMailat&new_user=true&flyme=null&isWeak=falseXXX: { "reply":[{"categoryType":0,"id":40002,"imageURL":"http://music.res.meizu.com/fileserver/music_category/12/a1131fd54d174297af1b9ae4a2282546.png","isLeaf":0,"layout":5,"name":"Top Show","numPer":null,"order":100,"resType":1,"resURL":null,"subCategoryCount":0},{"categoryType":0,"id":40013,"imageURL":"http://
XXX: http://open.duomi.com/open/library/suggestion?query=Metal&lc=B9D2DCFA01526C54&conn=wifiXXX: {"dm_error":0,"error_msg":"操作成功","s":["metallica","metallica fade to black",XXX: http://collect.music.meizu.com/service/api/syncPlayList.jsonp updateNanoTime=0&playlist=%5B%5DXXX: { "reply":{"code":200,"message":null,"redirect":null,"value":[{"bigCoverUrl":null,"coverUrl":null,"createTime":new Date(1401834057906),“descriptor":"","entityLastUpdate":0,"hot":0,"id":1521299, „lastPublishTime“:null,"midCoverUrl":null,"name":"我的爱", „nickName":"MariusMailat"
![Page 14: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/14.jpg)
![Page 15: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/15.jpg)
Android Internal
Platform
![Page 16: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/16.jpg)
![Page 17: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/17.jpg)
Object-oriented OSBINDERInitially developed for BeOS later used by Palm (which acquired BeOS)Most of Android infrastructure (services) is supported by BinderBinder is lightweight and high-performanceBound services are "garbage collected" when no longer in useRemote (service) method calls are synchronous (feels like just a function call, even though it’s IPC)Services defined/exposed via AIDL
![Page 18: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/18.jpg)
Anonymous Shared MemoryAshmemReference-counted, virtually mapped, named memory block that is shared between processes that the kernel is allowed to freeSimilar to POSIX SHM but with different behavior and a simpler file-based API (POSIX SHM does not allow the kernel to free shared memory)Android uses ashmem to share resources to minimize redundancy across processesKernel can discard unused shared blocks of memory when under pressureRepresented in the Java layer as android.os.MemoryFile
![Page 19: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/19.jpg)
Anonymous SHared MEMoryAshmemint size = 4096;int fd = ashmem_create_region("MySharedRegionName", size);if (fd > 0) { data = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if(data != MAP_FAILED) { /* for security reasons, no other process can ashmem_create_region() with the same name */ /* instead, to share this memory, we send fd via Binder IPC to another process */ /* that process then mmap()'s it the same way in order to access the shared memory */ }}
![Page 20: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/20.jpg)
ANDROID INIT STARTUP
![Page 21: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/21.jpg)
ANDROID INIT STARTUPAfter kernel loading the process 1 (/init) is createdStarts ueventdInitializes the system clock and loggerSets up global environmentSets up the file system (mount points and symbolic links)Configures kernel timeouts and schedulerConfigures process groupsCreates a basic directory structure on /data and applies permissionsApplies permissions on /cacheApplies permissions on certain /proc pointsInitializes local network (i.e. localhost)Configures the parameters for the low memory killerApplies permissions for system_server and daemonsDefines TCP buffer sizes for various networksConfigures and (optionally) loads various daemons (i.e. services): ueventd, console, adbd, servicemanager, vold, netd, debuggerd, rild, zygote (which in turn starts system_server), mediaserver, bootanimation (one time), and various Bluetooth daemons (like dbus-daemon, bluetoothd, etc.), installd, racoon, mtpd, keystore
![Page 22: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/22.jpg)
Bored already?
![Page 23: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/23.jpg)
ANDROID CONFERENCE DIALERQ1: Pavel, Write your own dialer with conference in 1 click
Response: Not really so easy doable BUT again for everything it is a way maybe?
via https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/InCallPresenter.java
CallCommandClient.getInstance().merge();
brings you to https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/CallCommandClient.java
and this is using the aidl https://android.googlesource.com/platform/packages/services/Telephony/+/master/common/src/com/android/services/telephony/common/ICallCommandService.aidl
you can no TRY to control the https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/CallHandlerService.java
![Page 24: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/24.jpg)
WHAT IS ANDROID FORENSICS?
The use of science and technology to investigate and establish facts in criminal or civil courts of law. Deciding some disputes requires the use of physical evidence.
![Page 25: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/25.jpg)
Motivation?
![Page 26: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/26.jpg)
WHAT IS WRONG WITH THIS PICTURE?
![Page 27: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/27.jpg)
Abel Yenukidze photo tampered
![Page 28: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/28.jpg)
leaves a trace.Every contact
Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him.
All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment.
It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.
Dr. Edmund Locard (1877-1966)
![Page 29: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/29.jpg)
ANDROID FORENSICS, EXTRACT DATA
![Page 30: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/30.jpg)
CELLEBRITE UFED
• Standalone device • Can extract data from 1600+ devices • Covers Android devices • Built-in SIM reader and cloner • Can store output on SD, Flash or PC
![Page 31: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/31.jpg)
enCase Forensics
• Software solution • Android, Blackberry, iOS and WinMobile • Device Settings • Contacts , Call logs • E-mail • Images • SMS/MMS • Calendars
![Page 32: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/32.jpg)
Viaforensics ViaExtract
XWAYS
Micro Systemation XRY
![Page 33: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/33.jpg)
THE NINJA WAY
![Page 34: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/34.jpg)
Way to get access DATA on ANDROID
ACCESS to the DEVICE bypassing the Security lock.1
2
3
Physical data extraction !
Logical data extraction . Yummy.
![Page 35: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/35.jpg)
1. ACCESS THE DEVICE USING SMUDGE ATTACK
![Page 36: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/36.jpg)
1. ACCESS THE DEVICE USING SMUDGE ATTACK
Reboot to bootloader mode:
$ adb reboot bootloader
Using fastboot, load a different ROM (e.g. Clockwork recovery image) and remove the key file related to challenge.
$ adb shell$ su$ rm /data/system/gesture.key
Or in case of password or pin:
$ rm password.key
![Page 37: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/37.jpg)
2. PHYSICAL DATA EXTRACTION
SOFTWARE + HARDWARE
![Page 38: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/38.jpg)
3. LOGICAL DATA EXTRACTION
ADB1
2
3
SQLITE
CONTENT PROVIDERS
4 ANDROID BACKUP SINCE 4.0
![Page 39: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/39.jpg)
$ mount.../dev/block/mtd7lock /system ext3
Check if the command dd is available if not install the BusyBox toolset. As alternative you can use dc3dd or nanddump available on https://github.com/jakev/android-binaries
$ dd if=/dev/block/mtd7lock of=/sdcard/mtd7lock.imgdd
$ adb pull /sdcard/mtd7lock.imgdd mtd7lock.imgdd
$ od -x mtd7lock.imgdd
$ strings mtd7lock.imgdd | grep <your own patterns goes here>
3. LOGICAL DATA EXTRACTION
![Page 41: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/41.jpg)
Get all the APK-s from the system:
$ adb shell$ su# cd /data/app# tar -cvf /sdcard/all-apps.tar /data/app/*apk# gzip all-apps.tar all-apps.tar.gz$ adb pull /sdcard/all-apps.tar.gz ./$ tar -xvf all-apps.tar ./*apk
3. LOGICAL DATA EXTRACTION
![Page 42: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/42.jpg)
Snoop the databases in the system:
$ find data -name "*.db" –print /data/data/data/data/com.google.android.browser/app_appcache/ApplicationCache.dbdata/data/com.google.android.browser/app_databases/Databases.dbdata/data/com.google.android.browser/app_geolocation/CachedGeoposition.dbdata/data/com.android.providers.calendar/databases/calendar.dbdata/data/com.android.providers.contacts/databases/profile.dbdata/data/com.android.providers.contacts/databases/contacts2.dbdata/data/com.android.providers.downloads/databases/downloads.dbdata/data/com.google.android.email/databases/EmailProvider.dbdata/data/com.google.android.gm/databases/[email protected]/data/com.google.android.gm/databases/[email protected]/data/com.google.android.gm/databases/webviewCookiesChromium.dbdata/data/com.google.android.music/databases/music.dbdata/data/com.android.providers.telephony/databases/telephony.dbdata/data/com.android.providers.telephony/databases/mmssms.dbdata/system/accounts.db
3. LOGICAL DATA EXTRACTION
![Page 43: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/43.jpg)
Snoop further:
# sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db
Sqlite> .schema accountsCREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);!sqlite> select * from accounts;||[email protected]|
sqlite> select * from data;!8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/marius%40gmail.com/59w25d6cef09539135|||0!8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10!
3. LOGICAL DATA EXTRACTION
![Page 44: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/44.jpg)
Snoop SMS-s:
sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db
Sqlite> .mode columnsqlite> .header on
sqlite> select address, date, body from sms;
address date body ------------ ------------- -----------------------------------------------------!+411113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ...3410498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-) !+41310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon? !3410498xxxx 1336720272373 Laguna is good. See you at 5:30.
3. LOGICAL DATA EXTRACTION
![Page 45: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/45.jpg)
adb logcat -v time -b radio -d
dmesg - kernel mesages
adb shell getprop - information about the device properties
3. LOGICAL DATA EXTRACTION - LOGCAT
![Page 46: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/46.jpg)
3. LOGICAL DATA EXTRACTION - CONTENT PROVIDERS
![Page 47: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/47.jpg)
#backup all content of an appadb backup com.whatsapp - f whatsapp_backup.ab
#backup everything adb backup -apk -noshared -all -f Backup_06_04_2015.ab
#confirm on the device screen the backup
#extract data from the .ab file
dd if=whatsapp_backup.ab bs=24 skip=1 | openssl zlib -d > whatsapp.tartar xvf whatsapp.tar
3. LOGICAL DATA EXTRACTION - BACKUP
![Page 48: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/48.jpg)
#reboot the bootloaderadb reboot bootloader
#flash the customfastboot boot [recovery-name].img
Turn on USB debugging and remove the gesture.key/password.key
Make a dd copy of the partition
Analyze the partitions using the tools like: The Sleuth Kit (TSK) - http://www.sleuthkit.org/sleuthkit/ or Oxygen Suite - http://www.oxygen-forensic.com
3. LOGICAL DATA EXTRACTION - CUSTOM RECOVERY
![Page 49: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/49.jpg)
HOW TO SNOOP INSIDE OF AN ANDROID APP ?
$ APKTool D BANK.Apk1
2
3
4
$ Jar xvf BANK.apk classes.dex
$ dex2jar.sh classes.dex
> OPEN JD-GUI
5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc
![Page 50: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/50.jpg)
ANDROID ANTI-FORENSICS
Physical destruction1
2
3
OVERWRITING DATA ON YOUR DEVICE
Cryptography or steganography
![Page 51: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/51.jpg)
ANDROID ANTI-FORENSICS
![Page 52: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/52.jpg)
Your safer code ART
Protect the resources
Your code ART
Protect the preferences
SECURITY & CODE guidelines
PROTECT THE APP
Protect the database
SERIOUS PAINTING SKILLS WITH sensitive dataGUIDELINES PROTECT
Encrypt your binaryBu huhu MAGIC via DEXGUARD
PROTECT YOUR OWN ANDROID APP ?
![Page 53: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/53.jpg)
MORE ON ANDROID FORENSICS
![Page 54: Android Forensics - How the police investigates your device](https://reader030.fdocuments.in/reader030/viewer/2022020710/55b816dabb61eb631c8b4698/html5/thumbnails/54.jpg)
Interested in MOre ?
http://stackoverflow.com/questions/28007421/android-image-extraction-from-cache https://github.com/AFFT-520/Android-Free-Forensic-Toolkit https://github.com/soarlab/maline http://freeandroidforensics.blogspot.de/ http://resources.infosecinstitute.com/getting-started-android-forensics/ https://andriller.com/