Tisa mobile forensic

of 48/48
Mobile/Smart Phone Forensic Watcharaphon Wongaphai Senior Information Security Instructor GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F ACIS Professional Center
  • date post

  • Category


  • view

  • download


Embed Size (px)


IOS Forensic

Transcript of Tisa mobile forensic

  • 1. Mobile/Smart Phone ForensicWatcharaphon WongaphaiSenior Information Security InstructorGIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNAPrathan PhongthiproekSection Manager, Senior Information Security ConsultantGIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-FACIS Professional Center

2. Outline1) Introduction to Mobile Forensic!2) Forensic Analysis of iphone!- JailBroken!- iTune Backup les! 3. Forensic Soundness What did it mean for disk forensics?! Does it mean the same thing?! Mobile devices are volatile, by nature! Real time clock changing in memory all the time! Acquiring SMS messages may change their status to Read! Some tools run code on the device itself!! Our goal is to change as little as possible! Perhaps disable automatic sync when using Blackberry DesktopManager, and disable conversion to local time in ABC AmberConverter! 4. Evidence Take-In and Chain of Custody Document the scene! Handle with care, and gloves!! For the Chain of Custody form, nd the serial number! Dont forget MicroSD cards!! Photograph the device where it is found! Document what is showing on the screen, if anything! Power concerns! Take cables and documentation! 5. Blocking Network Connectivity Disable the radio! How can you be sure its disabled?! Faraday isolation! Not all products are created equal!!! Usually causes the battery to be depleted more quickly! Use a safe SIM card! Remember, you want to turn off the phones connectivity to theservice provider, as well as Wi and Bluetooth connectivity! Exercise: Disable network connectivity on your own phone.! 6. ! What! Phone call database! E-mail and memos! SMS/MMS! Internet and LAN access! Visited URLs and saved pages! Where! Location information! 7. ! Who! Owner details and user accounts! Contacts and cohorts! Personalizations (wallpaper, ringtones)! When! Calendar items! File system metadata! Timestamps may not be immediately visible! 8. Messaging Short message service (SMS)! Multimedia message service (MMS)! Instant messaging! Blackberry! PIN messages! Blackberry IM! 9. Internet Activities Downloaded images and web pages! Email! Visited URLs! History log! Browser cache! 10. Location Tracking Location-based applications! Loopt! Google Latitude! Yahoo! Fire Eagle! Citysense! LifeBlog! Facebook (Friends on Fire)! Foursqare! Twitter! 11. GPS Embedded in Photos GPS coordinates embedded in Exif! Same Exif we talked about for disk forensics! This is often automatically added if the phone is GPS aware.! 12. Think Outside the Device Past usage information! Network service provider records! Look for paper bills! Detailed history of usage! Date and duration of calls! Numbers called! SMS message sent (no content retained)! NSP maintains detailed records! Calling IMSI and IMEI! Called IMSI and IMEI! Location: rst and last cell! Charging details! 13. Iphone Forensic with Jailbroken 14. Zdziarski Technique Step by Step!SSH Connection Jailbreak! Forensic Acquisition! SSH! Create image by using dd command! Transfer image using netcat!DD image via Netcat Use scalpel to carving data! 15. Zdziarski Technique Example Command!andrew-hoogs-mac:~ ahoog$ ssh -l root [email protected] password:-sh-3.2# cd / -sh-3.2# umount -f /private/var-sh-3.2# mount -o ro /private/var-sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc192.168.0.1 7000andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./rdisk0s2 bs=4096 16. Bypass Passcode 17. DiskAid 18. iPhone Explorer 19. iPhone ExplorerDelete this file forbypass passcode 20. iPhone System path 21. What can be recovered ? 22. Contact 23. Calendar Event 24. SMS 25. Facebook Application 26. Geo-location Cache 27. Geo-location Cache 28. Geo-location Cache 29. Geo-location Cache 30. Iphone Forensic with iTune Backup files 31. SYNC and Backup After activation, when the iPhone is connected to the computer a sync will be conducted! The user can dene what is to be Synced to include:! Music! Photos! Ringtones! Contacts & Calendars! Podcasts! Video! Third party applications! Third party applications can initiate the use of the iPhone as a le storage device! 32. SYNC and Backup Backup data location! Windows XP! C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! Windows 7! C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! Mac OS X! /Users/(username)/Library/Application Support/MobileSync/Backup/! 33. SYNC and Backup Backup folder les! Many .mdbackup les! The name of the le is the SHA1 hash when backed up from the iPhone and thedata is seralized off the iPhone and stored as the backup le! Status.plist! Status of last sync! Manifest.plist! List of all les backed up, modication time and hash signature! Info.plist! Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)! 34. .mdbackup files Safari History & Bookmarks! Photos (phone & synced iPhoto)! Sent & Received SMS! Calendar Events! Notes! Address Book Entries! Call History! Cookies! Google Map History! Email Account Settings! YouTube Last Search, Last Viewed & Bookmarks data! 35. Forensic Analysis Tool for Backup files iPhone Backup Extractor! iPhone Backup Analyzer! MobileSyncBrowser! MDBackupExtract! WOLF - Sixth Legion! Device Seizure - Paraben! 36. Unprotected Backup files 37. Protected Backup files 38. Protected Backup files 39. Elcomsoft Phone Password Breaker Brute-Force backup password with GPU! 40. Brute-Force Backup password 41. Keychain Explorer #1 42. Keychain Explorer #2 43. Keychain Explorer #2 44. Iphone Backup Extractor 45. Iphone Backup Analyzer 46. Iphone Backup Analyzer 47. Iphone Backup Analyzer 48. http://www.TISA.or.th Copayright 2012 TISA and its respective author (Thailand Information Security Association) Please contact : [email protected]