Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials...

36
cmdLabs> Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey [email protected]

Transcript of Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials...

Page 1: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Mobile Device Forensics Essentials

Everything you need to know but were afraid to ask!

Eoghan [email protected]

Page 2: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Pervasive Computing

• Billions of devices worldwide– China (540+ million)– Europe (400+ million)– India (360 million)– United States (270 million)

• People carrying multiple devices

Page 3: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Mobile Misuse and Malware

• Unauthorized access– Bluetooth hacking– Spyware– IPv6

• Eavesdropping on communications• Tracking device location• Server reconfiguration• Access to desktop sync/backups

Page 4: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Categories of Evidence

• Who– Owner details and

user accounts– Contacts and cohorts– Personalization

(wallpaper, ringtones)• When

– Calendar items– File system metadata– Timestamps may not

be immediately visible

• What– Phone call database– E-mail and memos– SMS / MMS– Internet and LAN

access– Visited URLs and

saved pages• Where

– Location information

Page 5: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Case: Murder

• John Gaumer– Met Josie Brown on Myspace– Arranged a date and killed her

• Victim’s phone provided clues– Last location contradicted Gaumer– Accidental voicemail from Gaumer’s phone– “thumping noises, shouting and brief bursts of

a woman’s muffled screams”

Page 6: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

GPS Remnants

• Cached map queries– Traffic or social networking applications

• GPS coordinates embedded in Exif

N35 deg 36 'E139 deg 41'

Page 7: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Investigation Dictates Goals

• Logical acquisition may be sufficient– Items from AT or proprietary commands– User backup utilities

• Software agent using device API• Physical acquisition

– Need to recover lock code– Need to recover deleted data

• Whatever can be acquired…– Should be complete and accurate

Page 8: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

In-Field Challenges

• No data cable– Try Bluetooth

• Lock codes• Unsupported device

– Select a similar model– Manual examination

• Forensic tool glitch

Page 9: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Logical Acquistion

• Extraction of data seen by the user on the device

• Does not acquire deleted data

• Even forensic tools may not capture all logical data

Page 10: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Example: Failed Acquisition (iDEN)

• You can’t spell evidence without “iDEN”– Videos/photos visible on device

• Cellebrite– Phonebook only

• Paraben acquisition errors– Flex: “Unknown packet”– User space

• “Unknown Crap Signature”

Page 11: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Motorola iDEN Backup

Page 12: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Example of Tool Limitations

• Cellebrite

• .XRY

Page 13: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Example of Tool Limitations

• BitPim

• ForensicMobile

Page 14: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Lessons Learned

• Forensic practitioners– Non-forensic tool may recover more data…– Or not!

• Forensic tool developers– State what level of support up front– Get the basics right first– Try to be consistent

Page 15: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Where do we draw the line?

• Microsoft ActiveSync– Interacts with device

and alters system• Flash & Backup

– Reset home screen photo on test device

• Jailbreak– Modifies the device

• Remote access– Sync to BES server

Page 16: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Recovering Unlock Codes

• User manual– Default lock code– Security bypass code

• Motorola SEEM– P2K Commander– BitPim

• Some CDMA forensic tools– ForensicMobile

1234

Page 17: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Forensic Acquisition of Windows Mobile 6

How complete is your analysis if…• Your software agent can’t execute

– Won’t run unsigned applications• Important files are empty

– Files locked by the operating system • Some tools only acquire limited items• Your tools don’t understand the data

– Proprietary database format

Page 18: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

WM6: Failed Acquisition

• Software agent advantages– Access to more data– Control changes– Known impact

• Software agent won’t run– Can change Registry value

Page 19: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

WM6: Locked Files are Empty

Page 20: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

WM6: Varying Results with Different Tools

• Cellebrite– Contacts, images, videos, ringtones

• Paraben– Some files, deleted filenames

• .XRY– SMS, call logs, images, videos…

• XACT – Entire FAT volume– Using Flash Abstraction Layer

Page 21: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Lesson Learned

• Forensic practitioners– Non-forensic tools are less effective– Forensic tools provide widely varying results

• Forensic tool developers– Be clear about what is acquired– Don’t delete the agent afterwards

Page 22: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Flasher Boxes

• Designed to update flash memory– Twister– HWK– UFS3– SHU box– JAF box

• Cables!

Page 23: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Twister & SaraSoft

Page 24: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Beware of Overwriting Evidence

• Sarasoft– Designed for flashing

Page 25: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Limited Models and Firmware

• Nokia 6230– Some firmware does

not support direct memory access

• Twister box– Rd MEM error– Rd PM success

Page 26: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Example: Deleted Photos (Samsung)

Page 27: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Example: Deleted Text Messages (Motorola)

Page 28: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Bomb Investigation (Alphabet Soup)

IKEA• IED• No SIM• IMSI in memory• NSPs have CDRs

Page 29: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

WM6: Interpreting Data (FAT & EDB)

Page 30: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

WM6: Interpreting Data using Emulator

• Mount acquired file• Examine details• Call history example

– Log of recent calls– Drill down for details

Page 31: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Keyword Searching

• ASCII and Unicode• Regular expressions• Nibble reversed format• 7-bit encoded

BKForensics CPAextracting e-mail

addresses & URLsfrom Samsungmemory dump

Page 32: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

SMS 7-bit EncodingMAIN Success Connected to Motorola USB Modem [COM11]MAIN Success Starting process of FLASHDUMP (4.10)FLASHDUMP Success Connecting…FLASHDUMP Success Firmware R452F1_G_08.05.04RFLASHDUMP Success Flex GSTCPRIRTMB01NA097FLASHDUMP Success Boot Loader 0x0ac3FLASHDUMP Success Installing Flash LoaderFLASHDUMP Success Flash Loader ConnectedFLASHDUMP Success Reading 64MB FLASHFLASHDUMP Success Reading 10000000-1000FFFF,BootFLASHDUMP Success Reading 10010000-1001FFFF,PDSFLASHDUMP Success Reading 10020000-1003FFFFFLASHDUMP Success Reading 10040000-10091FFF,DSPFLASHDUMP Success Reading 10092000-115DFFFF,FirmwareFLASHDUMP Success Reading 115E0000-1185FFFF,DRMFLASHDUMP Success Reading 11860000-11ABFFFF,LangPackFLASHDUMP Success Reading 11AC0000-13F5FFFF,FlexFLASHDUMP Success Reading 13F60000-13F7FFFFFLASHDUMP Success Reading 13F80000-13F9FFFF,DigSigFLASHDUMP Success Reading 13FA0000-13FDFFFFFLASHDUMP Success Reading 13FE0000-13FE07FF,DigSigFLASHDUMP Success Reading 13FE0800-13FFFFFFFLASHDUMP Success Saved 67108864 Bytes from 10000000-13FFFFFFFLASHDUMP Success Totally Saved 67108864 Bytes from FLASH

Page 33: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

File Carving

• Foremost– JFIF = 0xFFD8FFE0– Exif = 0xFFD8FFE1

• Beware of Samsung JPG header– 0xFFD8FFE3

Page 34: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Future of Physical Acquisition

• JTAG interface– Test circuit– Read flash memory– Disabled by some manufacturers

• Direct chip access

Page 35: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

What to Do?

• Validate results with multiple tools• Publish tool evaluation and comparison• Teach forensic examiners

– How the underlying technology works– How to work around barriers and failures

• Improve physical acquisition and analysis– Transition from Flasher boxes– Facilitate access to JTAG

Page 36: Mobile Device Forensics Essentials - SANS - Eoghan Casey... · Mobile Device Forensics Essentials Everything you need to know but were afraid to ask! Eoghan Casey. ... Mobile Misuse

cmdLabs>

Upcoming Training

SANS Mobile Device Forensics• July 27-31: Baltimore

– Debut discount: $1,750 (50%)• Sept 16-20: San Diego

See www.cmdLabs.com for details