Bloom Agency presentation at Chief Data Officer Forum Europe 2016
Public Agency Training Council tech Chief Technical ...
Transcript of Public Agency Training Council tech Chief Technical ...
Glenn K. BardPublic Agency Training Council tech
Chief Technical OfficerPA State Trooper – Retired
NCMEC – Project ALERT
CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE
PATCtech
Glenn Bard, CTO
Scott Lucas, Instructor and Examiner
Steve Dempsey, Instructor
Kathy Enriquez, Instructor
Brian Sprinkle, Case Manager – examiner
James Alsup, Director PATC
Stefani Lucas, Marketing Director
SQL / DB forensicsPATCtech – CTO Glenn K. BardCISSP, EnCE, ACE, AME, CHFI, A+, Network+, Security+
SQL / DB forensics
• Why is it so important to learn SQL / DB forensics? • Both iOS and Android are heavily using database files to store contents
• Average smartphone will have hundreds of these files
• Each App will have its own set of DB, they are not shared
• And since each App has them, if your forensic tool does not support that App, then you will need to find another way to get the data
• Contain a large amount of data, including deleted information
• Can contain other files, such as jpg, plist, and so on
SQL / DB forensics
• Before we begin, some definitions we need to know:• Tables – These are the different types of data the DB sill store. IE: messages,
Handle, MSG Pieces, etc.
• ROWID (ID) – This is a sequential number for an entry in the DB
• SQLite Sequence – The last assigned ROWID for each table
• BLOB – Binary Large Object
• Unix time – Number of seconds since January 1, 1970 00:00:00
• Mac time – Number of second since January 1, 2001 00:00:00
SQL / DB forensics
• Where will you find these files?• Each App will have its own, or in many cases, several of them.
• Some good hints:
• Android: Data / Data / App name / Databases
• iOS: Private / VAR / Mobile• Applications for third party Apps
• Library for iOS installed Apps
• Let’s take a look:
Android
iOS
Some hints and tips about these databases
• Can have different extensions: DB, SQL, SQLite, SQLiteDB
• Some have odd extensions like the callhistory.storedata
• Some can actually have no extension, and many times the software misses them. One was the threads_db2, which contained the contents of Facebook Messenger.
• In some databases, one column in a table will point to a column in a different table. (For example the Handle ID in SMS messages on an iPhone. Also the ZKIKUSER in the KIK app.)
• In other instances one column can point to a column in a completely different database. (For example the Addressbookimages.sqlitedb and Addressbook.sqlitedb on an iPhone.)
Some hints and tips about these databases
• If you see some that look like this:
Some hints and tips about these databases
• Those are called WebKit’s and are usually very important. In many cases they can contain emails, as well as cached information from websites.
• We will see this in a bit.
SQL / DB forensics
• Now that we know where to locate the files, how do we do it?• First, the tools:
• Mozilla Firefox with SQLite Manager
• SQLite Database Browser Portable
• Dcode from Digital Detective
• Oxygen with SQLite Viewer
Like us on Facebook
• https://www.facebook.com/PATCTech-116471378378526/
Please check out our two new websites:
Patctech.com Patctechns.com
Come back for our future webinars:
• Getting past the iOS passcode:
• http://www.patc.com/online/1099.shtml
• DART / MapLink cell mapping:
• http://www.patc.com/online/1100.shtml
• Getting past the Android passcode:
• http://www.patc.com/online/1101.shtml
Follow PATCtech!
• Updates & PATCtech Research
• Public Safety News
• Training Opportunities
PATCtech @PATCtech
Forensic Digital Evidence Investigators(LinkedIn Group)