Manish Chasta - Android forensics
-
Upload
positive-hack-days -
Category
Technology
-
view
643 -
download
10
Transcript of Manish Chasta - Android forensics
![Page 1: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/1.jpg)
Android ForensicsManish Chasta, CISSP | CHFI
PRESENTED BYManish Chasta,Principal Consultant, Indusface
![Page 2: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/2.jpg)
Introduction to Android
Rooting Android
Seizing Android Device
Forensic Steps
Agenda
Chain of Custody
Indian Cyber Laws
![Page 3: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/3.jpg)
Introduction to Android
• Most widely used mobile OS• Developed by Google• OS + Middleware + Applications• Android Open Source Project (AOSP) is
responsible for maintenance and further development
![Page 4: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/4.jpg)
Presence in the Market
• According to Gartner report, Android captured 36% market share in Q1 of 2011.
• Listed as the best selling Smartphone worldwide by Canalys.
4
![Page 5: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/5.jpg)
Android Architecture
5
![Page 6: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/6.jpg)
Android Architecture: Linux Kernel
• Linux kernel with system services:– Security – Memory and process management– Network stack
• Provide driver to access hardware:– Camera– Display and audio– Wifi– …
6
![Page 7: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/7.jpg)
Android Architecture: Android RunTime
• Core Libraries: – Written in Java– Provides the functionality of Java programming language– Interpreted by Dalvik VM
• Dalvik VM: – Java based VM, a lightweight substitute to JVM– Unlike JVM, DVM is a register based Virtual Machine– DVM is optimized to run on limited main memory and less
CPU usage– Java code (.class files) converted into .dex format to be
able to run on Android platform
7
![Page 8: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/8.jpg)
SQLite Database
• SQLite Database:– SQLite is a widely used, lightweight database– Used by most mobile OS i.e. iPhone, Android,
Symbian, webOS – SQLite is a free to use and open source database– Zero-configuration - no setup or administration
needed.– A complete database is stored in a single cross-
platform disk file.
8
![Page 9: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/9.jpg)
How Android can be used in Cyber Crime?
• Software Theft• Terrorism Activity• Pornography / Child Pornography• Financial Crime• Sexual harassment Cases• Murder or other Criminal activities
9
![Page 10: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/10.jpg)
Forensic Process: An Open Source Approach
• Seizing the device• Creating 1:1 image• Recovering the useful data• Analyzing the image to discover evidences• Maintain Chain of Custody
10
![Page 11: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/11.jpg)
Seizing Android Device
• If device is Off – Do not turn ‘ON’• If device is On – Let it ON and keep device
charging• Take photos and display of the device• Seize all other accessories available i.e.
Memory card, cables etc.• Label all evidences and document everything
11
![Page 12: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/12.jpg)
Creating 1:1 Image
• Creating Image of Memory Card• Creating Image of Device
12
![Page 13: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/13.jpg)
Creating Image of Memory Card
• Fat 32 file system• Easy to create image• In most cases, applications wont store any
sensitive data in memory card• Number of commercials and open source
tools are available
13
![Page 14: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/14.jpg)
Creating Image of Memory Card
• Using Winhex
14
![Page 15: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/15.jpg)
Creating Image of the Device
• Android’s file systems• Importance of rooting• Rooting Samsung Galaxy device
15
![Page 16: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/16.jpg)
Rooting Android Device
16
Step 1: Download CF Rooted Karnal files and Odin3 Software
![Page 17: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/17.jpg)
Rooting Android Device
• Step 2: Keep handset on debugging mode
17
![Page 18: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/18.jpg)
Rooting Android Device
• Step 3: Run Odin3
18
![Page 19: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/19.jpg)
Rooting Android Device
• Step 4: Reboot the phone in download mode• Step 5: Connect to the PC
19
![Page 20: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/20.jpg)
Rooting Android Device
• Step 6: Select required file i.e: PDA, Phone, CSC files• Step 7: Click on Auto Reboot and F. Reset Time and hit Start button
20
![Page 21: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/21.jpg)
Rooting Android Device
• If your phone is Rooted... You will see PASS!! In Odin3
21
![Page 22: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/22.jpg)
Creating Image of the Device
• Taking backup with DD– low-level copying and conversion of raw data– Create bit by bit image of disk– Output Can be readable by any forensic tool– Typical Syntax : dd if=/dev/SDA of=/sdcard/SDA.dd– Interesting Locations
• \data\data\• \data\system\
22
![Page 23: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/23.jpg)
Creating Image of the Device
23
![Page 24: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/24.jpg)
Creating Image of the Device
• Taking image with viaExtract tool
24
![Page 25: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/25.jpg)
Recovering Data
• Using WinHex
25
![Page 26: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/26.jpg)
Analysing Image
• Reading the Image
• Looking for KEY data
• Searching techniques (DT Search)
26
![Page 27: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/27.jpg)
Analysing Image
• Winhex• Manual Intelligence • viaExtract
27
![Page 28: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/28.jpg)
Analyzing SQLite
• SQLite stores most critical information• Interesting place for Investigators• Tools
– Epilog– sqlite database browser– sqlite_analyzer
28
![Page 29: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/29.jpg)
Analyzing SQLite
• Epilog
29
![Page 30: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/30.jpg)
Maintaining ‘Chain of Custody’
• What is Chain of Custody?• CoC can have following information:
What is the evidence? How did you get it? When was it collected? Who has handled it? Why did that person handle it? Where has it travelled, and where was it
ultimately stored?
30
![Page 31: Manish Chasta - Android forensics](https://reader035.fdocuments.in/reader035/viewer/2022081418/5562a098d8b42abb398b5659/html5/thumbnails/31.jpg)
Indian Laws covering Digital Crimes
• We can categorize Cyber crimes in two ways:– The Computer as a Target
– The computer as a weapon
• Indian Laws:– IT Act 2000
– IT(Amendment) Act, 2008
– Rules under section 6A, 43A and 79
• MIT site: http://mit.gov.in/content/cyber-laws
31