Yury Chemerkin Cyber Crime Forum 2012
-
Upload
sto-strategy -
Category
Documents
-
view
225 -
download
0
Transcript of Yury Chemerkin Cyber Crime Forum 2012
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
1/13
STATE
-
OF
-
ART
OF MOBILE FOR
YU
SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CY
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
2/13
METHODS
PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BY-
BIT COPY OF AN ENTIRE PHYSICAL STORE
LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT
COPY OF LOGICAL STORAGE
MANUAL ACQUISITION TECHNIQUE IS UI
UTILIZING TO GET PICTURES OF DATA FROM THESCREEN.
DATA TYPES
ALL AVAILABLE TYPES
ADDRESS BOOK/MESSAGES,
GEO/FILES/PASSWORD ETC
METHODS
COMMERCIALLY FORENSIC SOFT
MANAGE WITH FULL COPY OF T
BACKUP IS FULL COPY OF DEVIC
NATIVE/VENDOR TOOLS OR APIs
SCREENSHOT EXTRACTION IS EA
AND SOFTLY FOR THE RUN-DOWPHOTO/VIDEO CAMERA
DATA TYPES
UNKNOWN IS MISSED THROUGH
SAVED MESSAG
SOLID
DB
FILES
REDUCE
RAW
AC
FORENSICS ACQUISITION METHO
METHODOLOGY REALITY
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
3/13
TRADITION
GOAL:
PREVENTING DEVICE FROM ANY CHANGES INCL.
MALWARE TRIGGERS
SOLUTION:
AIRPLANE MODE, FARADAY CAGE OR SIMILAR
SOME LIVE CASES PREVENT SYNCLAST CENTURY
COMPLEXITY FACTOR:
HANDY BLACKBERRY GUI (A COUPLE CLICKS)
OVERLADEN ANDROID GUI (VIA MENU
SETTINGS)
ANDROID HOTKEYS DEPEND ON VENDOR
NETWORK AND OTA ISOLATION
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
4/13
BLACKBERRY SMARTPHONE PROPR. PUSH +
EXCHANGE
BLACKBERRY TABLET IMAP4, POP3 + EXCHANGE
ACTIVESYNC
ANDROID GOOGLE SYNC, IDLE, IMAP4, POP3 +EXCHANGE ACTIVESYNC
BLACKBERRY SMARTPHONE TR
ONLINE, QUICKLY RETRIEVE DAT
BLACKBERRY TABLET INTERRU
AND NETWORK, PASSWORD ASK
NON-INBOX/SENT FOLDER DATA
ANDROID INTERRUPTS BY STA
NETWORK, PASSWORD ASKING,
INBOX/SENT FOLDER DATA IF WA
PUSH TECHNOLOGY
DIFFERENCE BY IMPLEMENTATION (PROTOCOL): DIFFERENCE BY REALIZATION (USER
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
5/13
BLACKBERRY
ASCII PRINTABLE CHARACTERS NOT ACCESSIBLE
CUSTOM CASES WALLETS, DEVICE PASSWORD
(ELCOMSOFT)
ANDROID
PATTERN LOCK NEED ROOT ACCESS
PIN NEED ROOT ACCESS
ASCII PRINTABLE CHARACTERS NEED ROOT
ACCESS
PASSWORD PROTECTION
AN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
6/13
ELCOMSOFT SOLUTION FOR BLACKBERRY
BACKUP DATA, WALLET
DEVICE PASSWORD
PATTERN & PASSWORD LOCK VIA ROOT FILE
ACCESS (ANDROID)
GESTURE.KEY, PC.KEY
TOUCH THE SCREEN TO PREVENT PASSWORD
LOCKING
PREVENTION THE SCREEN LOCK
APIs (ANDROID)
SCALED BUTTON PREVIEW VIA S
(ALMOST ALL/SETTINGS)
ASTERISKS HIDING DEALY (ALMO
DESKTOP SYNCHRONIZATION (B
FAKE WINDOW TO MISLEAD (AL
PASSWORD EXTRACTION AND BYPAS
DEAD FORENSICS SOLUTION LIVE FORENSICS SOLUTIONS
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
7/13
PASSWORD EXTRACTION AND BYPAS
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
8/13
GOAL GATHERING LOGS, DUMPS, BACKUP,
OTHER DATA
SOLUTION SDK TOOLS OR SIMILAR
DATA:
LOGS INCL. Wi-Fi, DUMPS, EXE MODULES,
SCREENSHOTS, DEVICE INFO (BLACKBERRY)
SPECIAL LOGGING MECHANISM INCL. EVENTS,CREDENTIALS, FAILURES (ANDROID)
BACKUP:
GRANULATED DATA + WALLET (BB SMARTPHONE)
APP DATA, MEDIA, SETTING (BB TABLET)
THIRD-PARTY SOLUTIONS DESPITE OF NATIVE
BACKUP APIs (ANDROID)
DEVICE INFORMATION
PHYSICAL ADDRESS: E8:XX:XX:XX
DEVICE OS: BLACKBERRY PLAYBO
DEVICE PIN: 500XXXXX | OS VER
IP ADDRESS: 192.168.1.31 | SUB
255.255.255.0
DEFAULT GATEWAY: 192.168.1.1 PRIMARY DNS: 192.168.1.1 | PR
WI-FI INFORMATION
STATUS:CONNECTED | SECURIT
PROFILE NAME: XXXX | SSID: XX
SIGNAL LEVEL: -41 DBM | TYPE:
CONNECTION DATA RATE: 65 MB
CLASSIC FORENSICS
DEALING WITH EXPIRATION DEVICE NETWORK LOG EXAMPLE
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
9/13
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
10/13
PRIVATE DATA - THROUGH THE API ONLY
BLACKBERRY CONTACT - EMAILS, CALL & RECENT
HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.
ANDROID CONTACT - SQL DB PER VCARD, FB,
TWITTER
MEDIA DATA - THROUGH API, SD-CARD
VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB
EXIF, FILENAME OFTEN INCLUDES EXIF & GEO
MESSAGES AND IM CHATS - API, SD-CARD
IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)
| SENDER ID | RECIPIENT ID | DATE | DATA
STORED IN SHARED FOLDERS IN
(BLACKBERRY)
MESSAGE DATA STORED IN SQL
MEDIA ON /DATA/DATA PATH
/COM.ANDROID.PROVIDERS.TEL
/COM.FACEBOOK/FB.DB
CLIPBOARD
PASSWORD HAPPENS
WALLET DOES NOT PROTECT CO
GETCLIPBOARD(), GETDATA(), G
LIVE FORENSICS
DEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARE COVERS DEAD CASES IN REAL-TIME
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
11/13
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
12/13
LACK OF SIMULATION ENVIRONMENTS
THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY
INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE
PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM
LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES
FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT
LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS
SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR
CONCLUSION
DEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT...
-
8/13/2019 Yury Chemerkin Cyber Crime Forum 2012
13/13
THAN
YU
HAKIN9 MAGAZINE R