Yury chemerkin _cyber_crime_forum_2012
-
Upload
sto-strategy -
Category
Technology
-
view
363 -
download
0
description
Transcript of Yury chemerkin _cyber_crime_forum_2012
STATE-OF-ART OF MOBILE FORENSICSYURY CHEMERKIN
SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
METHODS PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BY-
BIT COPY OF AN ENTIRE PHYSICAL STORE LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT
COPY OF LOGICAL STORAGE MANUAL ACQUISITION TECHNIQUE IS UI
UTILIZING TO GET PICTURES OF DATA FROM THE SCREEN.
DATA TYPES ALL AVAILABLE TYPES
ADDRESS BOOK/MESSAGES,
GEO/FILES/PASSWORD… ETC
METHODS COMMERCIALLY FORENSIC SOFTWARE TOOLS
MANAGE WITH FULL COPY OF THE DEVICE DATA BACKUP IS FULL COPY OF DEVICE BY
NATIVE/VENDOR TOOLS OR APIs SCREENSHOT EXTRACTION IS EASY IMPLEMENTED
AND SOFTLY FOR THE RUN-DOWN BATTERY THAN PHOTO/VIDEO CAMERA
DATA TYPES UNKNOWN IS MISSED THROUGH IGNORANCE
SAVED MESSAGES/IMs SOLID DB FILES REDUCE RAW ACQUISITION
FORENSICS ACQUISITION METHODSMETHODOLOGY REALITY
TRADITION GOAL: PREVENTING DEVICE FROM ANY CHANGES INCL.
MALWARE TRIGGERS SOLUTION: AIRPLANE MODE, FARADAY CAGE OR SIMILAR SOME LIVE CASES PREVENT SYNCLAST CENTURY COMPLEXITY FACTOR: HANDY BLACKBERRY GUI (A COUPLE CLICKS) OVERLADEN ANDROID GUI (VIA MENU
SETTINGS…) ANDROID HOTKEYS DEPEND ON VENDOR
NETWORK AND OTA ISOLATION
BLACKBERRY SMARTPHONE – PROPR. PUSH + EXCHANGE
BLACKBERRY TABLET – IMAP4, POP3 + EXCHANGE ACTIVESYNC
ANDROID – GOOGLE SYNC, IDLE, IMAP4, POP3 + EXCHANGE ACTIVESYNC
BLACKBERRY SMARTPHONE – TRUE PUSH IF ONLINE, QUICKLY RETRIEVE DATA IF WAS OFFLINE
BLACKBERRY TABLET – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE
ANDROID – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE
“PUSH” TECHNOLOGYDIFFERENCE BY IMPLEMENTATION (PROTOCOL): DIFFERENCE BY REALIZATION (USER EXPERIENCE):
BLACKBERRY
ASCII PRINTABLE CHARACTERS – NOT ACCESSIBLE
CUSTOM CASES – WALLETS, DEVICE PASSWORD (ELCOMSOFT)
ANDROID
PATTERN LOCK – NEED ROOT ACCESS
PIN – NEED ROOT ACCESS
ASCII PRINTABLE CHARACTERS – NEED ROOT ACCESS
PASSWORD PROTECTIONAN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS
ELCOMSOFT SOLUTION FOR BLACKBERRY
BACKUP DATA, WALLET
DEVICE PASSWORD
PATTERN & PASSWORD LOCK VIA ROOT FILE ACCESS (ANDROID)
GESTURE.KEY, PC.KEY
TOUCH THE SCREEN TO PREVENT PASSWORD LOCKING
PREVENTION THE SCREEN LOCKING THROUGH THE APIs (ANDROID)
SCALED BUTTON PREVIEW VIA SCREENSHOT (ALMOST ALL/SETTINGS)
ASTERISKS HIDING DEALY (ALMOST ALL/SETTINGS)
DESKTOP SYNCHRONIZATION (BLACKBERRY)
FAKE WINDOW TO MISLEAD (ALL)
PASSWORD EXTRACTION AND BYPASSINGDEAD FORENSICS SOLUTION LIVE FORENSICS SOLUTIONS
PASSWORD EXTRACTION AND BYPASSING
GOAL – GATHERING LOGS, DUMPS, BACKUP, OTHER DATA
SOLUTION – SDK TOOLS OR SIMILAR DATA: LOGS INCL. Wi-Fi, DUMPS, EXE MODULES,
SCREENSHOTS, DEVICE INFO (BLACKBERRY) SPECIAL LOGGING MECHANISM INCL. EVENTS,
CREDENTIALS, FAILURES (ANDROID) BACKUP: GRANULATED DATA + WALLET (BB SMARTPHONE) APP DATA, MEDIA, SETTING (BB TABLET) THIRD-PARTY SOLUTIONS DESPITE OF NATIVE
BACKUP APIs (ANDROID)
DEVICE INFORMATION PHYSICAL ADDRESS: E8:XX:XX:XX:XX:XX DEVICE OS: BLACKBERRY PLAYBOOK OS DEVICE PIN: 500XXXXX | OS VERSION: 2.0.1.668 IP ADDRESS: 192.168.1.31 | SUBNET MASK:
255.255.255.0 DEFAULT GATEWAY: 192.168.1.1 PRIMARY DNS: 192.168.1.1 | PROXY IP/PORT: WI-FI INFORMATION STATUS:CONNECTED | SECURITY TYPE:WPA2 PERS PROFILE NAME: XXXX | SSID: XXXX SIGNAL LEVEL: -41 DBM | TYPE: 802.11G/N CONNECTION DATA RATE: 65 MBPS
CLASSIC FORENSICSDEALING WITH EXPIRATION DEVICE & NETWORK LOG EXAMPLES
EXIF DATA
CAMERA MAKE RIM/BLACKBERRY/ANDROID
/HTC
CAMERA MODEL DEVICE MODEL
OTHER EXIF DATA EXPOSURE, DIAPHRAGM OPENING, FLASH, EXIF VERSION GEO DATA
MEDIA FILE NAMES
IMG20120103-XXXX
GEO TAG AS CITY LIKE “MOSKVA”
VOICE NOTES
VN-20120319-XXXX.AMR / M4A WHERE “20120319” IS DATE WITH YYYY-MM-DD FORMATTING
VID-YYYYMMDD-XXXXXX.3GP / MP4
CLASSIC FORENSICSANY DELAY LEAVE US FAR BEHIND
PRIVATE DATA - THROUGH THE API ONLY
BLACKBERRY CONTACT - EMAILS, CALL & RECENT HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.
ANDROID CONTACT - SQL DB PER VCARD, FB, TWITTER…
MEDIA DATA - THROUGH API, SD-CARD
VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB…
EXIF, FILENAME OFTEN INCLUDES EXIF & GEO
MESSAGES AND IM CHATS - API, SD-CARD
IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)
| SENDER ID | RECIPIENT ID | DATE | DATA
STORED IN SHARED FOLDERS INSTEAD SANDBOX (BLACKBERRY)
MESSAGE DATA STORED IN SQL DB INCL. MMS MEDIA ON “/DATA/DATA” PATH
/COM.ANDROID.PROVIDERS.TELEPHONY
/COM.FACEBOOK/FB.DB
CLIPBOARD
PASSWORD HAPPENS
WALLET DOES NOT PROTECT COPIED PASSWORD
GETCLIPBOARD(), GETDATA(), GETTEXT()
LIVE FORENSICSDEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARE COVERS DEAD CASES IN REAL-TIME
LIVE FORENSICS
LACK OF SIMULATION ENVIRONMENTS
THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY
INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE
PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM
LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES
FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT
LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS
SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR EACH OTHER
CONCLUSIONDEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT...
THANK YOUYURY CHEMERKIN
HAKIN9 MAGAZINE REPRESENTATIVE