Tisa mobile forensic

48
Mobile/Smart Phone Forensic Watcharaphon Wongaphai Senior Information Security Instructor GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F ACIS Professional Center

description

IOS Forensic

Transcript of Tisa mobile forensic

Page 1: Tisa mobile forensic

Mobile/Smart Phone Forensic

Watcharaphon Wongaphai Senior Information Security Instructor

GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant

GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F

ACIS Professional Center

Page 2: Tisa mobile forensic

Outline

1)   Introduction to Mobile Forensic!

2)   Forensic Analysis of iphone!

-  JailBroken!

-  iTune Backup files!

Page 3: Tisa mobile forensic

•  What did it mean for disk forensics?!•  Does it mean the same thing?!

•  Mobile devices are volatile, by nature!–  Real time clock changing in memory all the time!

–  Acquiring SMS messages may change their status to “Read”!–  Some tools run code on the device itself!!

•  Our goal is to change as little as possible!–  Perhaps disable automatic sync when using Blackberry Desktop

Manager, and disable conversion to local time in ABC Amber Converter!

Forensic Soundness

Page 4: Tisa mobile forensic

•  Document the scene!

–  Handle with care, and gloves!!

–  For the Chain of Custody form, find the serial number!

–  Don’t forget MicroSD cards!!

–  Photograph the device where it is found!

–  Document what is showing on the screen, if anything!

–  Power concerns!

–  Take cables and documentation!

Evidence Take-In and Chain of Custody

Page 5: Tisa mobile forensic

•  Disable the radio!–  How can you be sure it’s disabled?!

•  Faraday isolation!–  Not all products are created equal!!!–  Usually causes the battery to be depleted more quickly!

•  Use a “safe” SIM card!

•  Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity!

•  Exercise: Disable network connectivity on your own phone.!

Blocking Network Connectivity

Page 6: Tisa mobile forensic

!

•  What!

–  Phone call database!

–  E-mail and memos!

–  SMS/MMS!

–  Internet and LAN access!

–  Visited URLs and saved pages!

•  Where!

–  Location information!

Page 7: Tisa mobile forensic

!

•  Who!

–  Owner details and user accounts!

–  Contacts and cohorts!

–  Personalizations (wallpaper, ringtones)!

•  When!

–  Calendar items!

–  File system metadata!

–  Timestamps may not be immediately visible!

Page 8: Tisa mobile forensic

•  Short message service (SMS)!

•  Multimedia message service (MMS)!

•  Instant messaging!

•  Blackberry!

–  PIN messages!

–  Blackberry IM!

Messaging

Page 9: Tisa mobile forensic

•  Downloaded images and web pages!

•  Email!

•  Visited URLs!

•  History log!

•  Browser cache!

Internet Activities

Page 10: Tisa mobile forensic

•  Location-based applications!

–  Loopt!

–  Google Latitude!

–  Yahoo! Fire Eagle!

–  Citysense!

–  LifeBlog!

–  Facebook (Friends on Fire)!

–  Foursqare!

–  Twitter!

Location Tracking

Page 11: Tisa mobile forensic

•  GPS coordinates embedded in Exif!

•  Same Exif we talked about for disk forensics!

•  This is often automatically added if the phone is GPS aware.!

GPS Embedded in Photos

Page 12: Tisa mobile forensic

•  Past usage information!–  Network service provider records!

–  Look for paper bills!

•  Detailed history of usage!–  Date and duration of calls!

–  Numbers called!

–  SMS message sent (no content retained)!

•  NSP maintains detailed records!–  Calling IMSI and IMEI!

–  Called IMSI and IMEI!

–  Location: first and last cell!

–  Charging details!

Think Outside the Device

Page 13: Tisa mobile forensic

Iphone Forensic with Jailbroken

Page 14: Tisa mobile forensic

Zdziarski Technique

•  Step by Step!•  Jailbreak!•  Forensic Acquisition!

•  SSH!•  Create image by using dd command!

•  Transfer image using netcat!

•  Use scalpel to carving data!

SSH Connection

DD image via Netcat

Page 15: Tisa mobile forensic

Zdziarski Technique

•  Example Command! andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2 [email protected]′s password: -sh-3.2# cd / -sh-3.2# umount -f /private/var -sh-3.2# mount -o ro /private/var -sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc 192.168.0.1 7000 andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./rdisk0s2 bs=4096

Page 16: Tisa mobile forensic

Bypass Passcode

Page 17: Tisa mobile forensic

DiskAid

Page 18: Tisa mobile forensic

iPhone Explorer

Page 19: Tisa mobile forensic

iPhone Explorer

Delete this file for bypass passcode

Page 20: Tisa mobile forensic

iPhone System path

Page 21: Tisa mobile forensic

What can be recovered ?

Page 22: Tisa mobile forensic

Contact

Page 23: Tisa mobile forensic

Calendar Event

Page 24: Tisa mobile forensic

SMS

Page 25: Tisa mobile forensic

Facebook Application

Page 26: Tisa mobile forensic

Geo-location Cache

Page 27: Tisa mobile forensic

Geo-location Cache

Page 28: Tisa mobile forensic

Geo-location Cache

Page 29: Tisa mobile forensic

Geo-location Cache

Page 30: Tisa mobile forensic

Iphone Forensic with iTune Backup files

Page 31: Tisa mobile forensic

SYNC and Backup

•  After activation, when the iPhone is connected to the computer a sync will be conducted!•  The user can define what is to be Synced to include:!

•  Music!

•  Photos!

•  Ringtones!

•  Contacts & Calendars!•  Podcasts!

•  Video!

•  Third party applications!

•  Third party applications can initiate the use of the iPhone as a file storage device!

Page 32: Tisa mobile forensic

SYNC and Backup

•  Backup data location!•  Windows XP!•  C:\Documents and Settings\(username)\Application Data\Apple Computer

\MobileSync\Backup\!

•  Windows 7!•  C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\!

•  Mac OS X!•  /Users/(username)/Library/Application Support/MobileSync/Backup/!

Page 33: Tisa mobile forensic

SYNC and Backup

•  Backup folder files!•  Many .mdbackup files!•  The name of the file is the SHA1 hash when backed up from the iPhone and the

data is seralized off the iPhone and stored as the backup file!

•  Status.plist!•  Status of last sync!

•  Manifest.plist!•  List of all files backed up, modification time and hash signature!

•  Info.plist!•  Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!

Page 34: Tisa mobile forensic

.mdbackup files

•  Safari History & Bookmarks!•  Photos (phone & synced iPhoto)!

•  Sent & Received SMS!•  Calendar Events!

•  Notes!

•  Address Book Entries!•  Call History!

•  Cookies!•  Google Map History!

•  Email Account Settings!

•  YouTube Last Search, Last Viewed & Bookmarks data!

Page 35: Tisa mobile forensic

Forensic Analysis Tool for Backup files

•  iPhone Backup Extractor!

•  iPhone Backup Analyzer!

•  MobileSyncBrowser!

•  MDBackupExtract!

•  WOLF - Sixth Legion!

•  Device Seizure - Paraben!

Page 36: Tisa mobile forensic

Unprotected Backup files

Page 37: Tisa mobile forensic

Protected Backup files

Page 38: Tisa mobile forensic

Protected Backup files

Page 39: Tisa mobile forensic

Elcomsoft Phone Password Breaker

•  Brute-Force backup password with GPU!

Page 40: Tisa mobile forensic

Brute-Force Backup password

Page 41: Tisa mobile forensic

Keychain Explorer #1

Page 42: Tisa mobile forensic

Keychain Explorer #2

Page 43: Tisa mobile forensic

Keychain Explorer #2

Page 44: Tisa mobile forensic

Iphone Backup Extractor

Page 45: Tisa mobile forensic

Iphone Backup Analyzer

Page 46: Tisa mobile forensic

Iphone Backup Analyzer

Page 47: Tisa mobile forensic

Iphone Backup Analyzer

Page 48: Tisa mobile forensic

Copayright © 2012 TISA and its respective author (Thailand Information Security Association)

Please contact : [email protected]

http://www.TISA.or.th