Mobile Forensics on a Shoestring Budget
Signaler
Brent MuirSuivre
30 May 2018•0 j'aime•1,238 vues
1 j'aime
Soyez le premier à aimer ceci
afficher plus
vues
Nombre de vues
0
Sur Slideshare
0
À partir des intégrations
0
Nombre d'intégrations
0
Check these out next
Mobile Forensics on a Shoestring Budget
30 May 2018•0 j'aime•1,238 vues
1 j'aime
Soyez le premier à aimer ceci
afficher plus
vues
Nombre de vues
0
Sur Slideshare
0
À partir des intégrations
0
Nombre d'intégrations
0
Télécharger pour lire hors ligne
Signaler
Technologie
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Brent MuirSuivre
Recommandé
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
SanDisk SecureAccess Encryption 1.5Brent Muir
WinFE: The (Almost) Perfect Triage ToolBrent Muir
Android forensics an Custom Recovery ImageMohamed Khaled
Android Mobile forensics with custom recoveriesIbrahim Mosaad
Windows 7 forensics event logs-dtl-r3CTIN
Mobile Forensics on a Shoestring Budget
- MOBILE FORENSICS ON A SHOESTRING BUDGET Brent Muir - 2018
- WHY? Commercial mobile forensic suites are quite expensive Many “automated” mobile forensic suites miss vital data In-depth mobile forensic analysis will produce the best results And teach you to be a better forensic analyst
- WHAT YOU WILL LEARN Device Acquisition (iOS & Android) Lock Bypasses Methods Working with databases Recovering deleted records 3rd Party IM Decryption WeChat WhatsApp Mobile Malware Decompiling Mobile Applications Protections from Mobile Malware
- DEVICE ACQUISITION When we talk about mobile forensic acquisition there are a couple of methodologies Physical With Boot Loader / root / jail break Logical Logical with applet File System JTAG Chip-Off
- DEVICE ACQUISITION - EXTRACTION METHODS LEVEL OF INVASIVENESS
- MAGNET ACQUIRE Allows acquisition of Android & iOS mobile devices As well as HDs & USB mass storage devices Physical & Logical acquisition methods available Android: Rooting is available for Android devices For Logical acquisition runs an applet (as well as ADB backup) iOS: iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data Full extraction for jailbroken devices
- iTUNES BACKUPS iOS device backups through Apple iTunes (Windows & OSX) Windows Usersuser_nameAppDataRoamingApple ComputerMobileSyncBackup OSX ~/Library/Application Support/MobileSync/Backup/ iTunes backups are ZIP archives Can be extracted with commodity tools such as 7zip Santoku also features an iPhone Backup Analyzer
- Android Debug Bridge (ADB) Can be used (with Developer Mode enabled) to create file system backup 1.adb start-server 2.adb devices 3.adb backup –apk –obb –shared –all If device not jail broken/rooted does not grab all application databases/secure files ADB available for OSX, Windows & Linux
- LOCK BYPASSES Santoku Linux features Android Brute Force Script for dealing with PIN locks Android gesture lock bypass via ADB Gesture pattern stored in /data/system/gesture.key adb shell rm /data/system/gesture.key iPhone PIN bypass Vulnerabilities in iOS that allow Siri to be used to get into device https://www.computerworld.com/article/3041302/security/4-new-ways-to- bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html Depending on device/version of iOS brute-force scripts available for breaking PIN/passcode
- APPLICATION DATABASES Both Android and iOS operating systems rely on SQLite databases to store pertinent system data Each installed application will also have a corresponding SQLite database, including web- browser applets SQLite is an open source database format and there are many viewers available to examine the underlying table data SQLiteQ Firefox SQLite DB Viewer extension SQLite Studio SQLite Database files Primary data file (.db) Journal Files (.db-journal) Write Ahead Logs (.db-wal) Shared memory file (.db-shm) indicates WAL mode
- EXTRACTING THE MOST FROM DATABASES Automated tools: Only support some databases Only examine some table data (not all tables) Do not always examine WAL or Journal files Example Android device, automated forensics suite extracted data from Chrome History SQLite database, extracting data from “urls” table but had completely missed the “visits” table. Not only did this provide more records, it provided more metadata to report on (e.g. visit duration is only recorded in “visits” table). Simple SQL Inner Join syntax will allow sensible data extraction from database Chrome History SELECT * FROM urls INNER JOIN visits ON urls.id = visits.id Safari History SELECT * FROM history_items INNER JOIN history_visits ON history_items.id = history_visits.history_item
- RECOVERING DELETED RECORDS FROM DBS Python scripts to recover deleted entries from main SQLite database files Including GUI version, built with portable python Perl script to recover deleted entries from .db-journal component of SQLite databases
- 3RD PARTY IM DECRYPTION - WECHAT WeChat uses the SQLcipher encryption scheme to protect chat messages EnMicroMsg.db stores messages/chat history SQLcipher key is actually derived from IMEI of device and unique identifier (UIN) as registered with WeChat UIN is the unique identifier that you can get from the system_config_prefs.xml file in the WeChat application folder Calculate the MD5 hash of IMEI number followed by UIN, then use the first 7 characters as the SQLcipher key E.g. if IMEI = 358711000000001 and UIN = 1234567890 Then calculate MD5 of 3587110000000011234567890 ee130f28c26387b09ce7c2ec2df21efc First 7 digits are ee130f2 this is the SQLcipher key Once decryption key generated the SQLite database can be decrypted with many tools, including SQLite Studio, where you can manually add the SQLcipher decryption key
- 3RD PARTY IM DECRYPTION - WHATSAPP On Android devices WhatsApp backs up chat databases to SD card (if available) at /WhatsApp/Databases/msgstore.db.crypt SQLite databases are encrypted but can be decrypted using the following methodology: 1. Enable ADB & USB debugging on device, connect device to computer 2. Run WhatsApp Key Extractor on computer This will extract the decryption key from WhatsApp 3. Use WhatsApp Viewer to open encrypted database and provide the decryption key This will generate a decrypted SQLite database that can be opened with any SQLite tool
- MOBILE MALWARE If fortunate enough to have a binary acquisition you can mount the file system to scan for malware AccessData MPE has a similar functionality to FTK Imager that lets you mount these mobile forensic images and interpret the underlying file system Once mounted can be scanned with 3rd party AV tools Santoku also features Android & iOS file system support YAFFEY for mounting/reading yaffs2 Various online mobile malware scanning services are available NVISION ApkScan (API is available) OPSWAT MetaDefender If weary about uploading apps to these services, hash the APK/IPA and scan hashes in online service such as VirusTotal or MetaDefender
- ONLINE MOBILE MALWARE SCANNERS
- DECOMPILING MOBILE APPLICATIONS Android APKs & iOs IPAs are just ZIP archives, can be opened with 7Zip or similar To delve deeper into these apps you need to decompile/analyse them Determine the permissions allowed by the application Determine what remote communications are made by the application Determine what functions are called by the application
- DECOMPILING MOBILE APPLICATIONS – APK AndroidManifest.xml Contains permissions allowable by the application Classes.dex is a Dalvik Executable file Dex2Jar to convert to JAVA applet (JAR) Included in Santoku Linux, but can downloaded for Windows Converted JAR can be opened in 7Zip, analysed etc. APKAnalyser – Sony Mobile (open source)Android APK analysing framework Can also be decompiled/analysed in Radare
- DECOMPILING MOBILE APPLICATIONS – IPA IPAs are encrypted with Apple's FairPlay DRM, so you need to decrypt them before analysis Requires jail broken device Clutch Used to decrypt IPA files creates decrypted IPA file (ZIP archive) Needs to be run on the specific iOS device where the app is installed Otool Can be used to inspect the binary, get a list of functions Radare for dynamic analysis
- PROTECTIONS FROM MOBILE MALWARE Do not jail break or root your device Do not allow unsigned apps to be installed (developer mode) Only download/purchase apps from authorised/legitimate stores (Google Play, Apple App Store) Pay attention to what you download/install, don't fall for lookalike apps Threat actors will modify legitimate apps to inject them with malware MSFVenom APKinjector Xcode – bootleg integrated development environment (IDE) infecting iOS apps
- MALICIOUS APPS IN APPLE APP STORE
- MALICIOUS APPS IN GOOGLE PLAY STORE
- RESOURCES / REFERENCES OPSWAT MetaDefender – https://metadefender.opswat.com/ NVISO ApkScan – https://apkscan.nviso.be/ OWASP iOS Application Security Testing – https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet Static Analysis of IPA Files – http://blog.dornea.nu/2014/10/29/howto-ios-apps-static-analysis/ Android malware analysis with Radare –https://www.nowsecure.com/blog/2016/11/21/android- malware-analysis-radare-triada-trojan/ Injecting Metasploit Payloads into Android Applications – https://pentestlab.blog/2017/03/13/injecting-metasploit-payloads-into-android-applications/ Python Script to recover deleted SQLite entries – http://az4n6.blogspot.com/2013/11/python- parser-to-recover-deleted-sqlite.html iOS Triage – https://github.com/ahoog42/ios-triage/ Android SMS grep Perl Script - https://github.com/cheeky4n6monkey/4n6-scripts http://cheeky4n6monkey.blogspot.com.au/2013/02/creating-perl-script-to-retrieve.html
- TOOLS Santoku Linux – http://santoku-linux.com AccessData MPE – https://accessdata.com/products-services/mobile- solutions Magnet Acquire – https://www.magnetforensics.com/acquire- community/ 7Zip – http://www.7-zip.org/ DCode – http://www.digital-detective.net/digital-forensic-software/free- tools/ HashCalc – http://www.slavasoft.com/hashcalc/ Dex2Jar – https://sourceforge.net/projects/dex2jar/files/ iNalyzer – https://appsec-labs.com/iNalyzer/ SQLiteQ – http://www.mitec.cz/sqliteq.html Radare – http://www.radare.org/r/ Clutch – https://github.com/KJCracks/Clutch Otool – part of Xcode toolset https://developer.apple.com/xcode/ ApkAnalyzer – https://github.com/sonyxperiadev/ApkAnalyser APKinjector – https://github.com/jbreed/apkinjector ADB – https://developer.android.com/studio/command-line/adb.html Python Script to recover deleted SQLite entries – https://github.com/mdegrazia/SQLite-Deleted-Records-Parser Android SMS grep Perl Script - https://github.com/cheeky4n6monkey/4n6-scripts SQLite Studio - https://sqlitestudio.pl/index.rvt WhatsApp Key Extractor - https://github.com/EliteAndroidApps/WhatsApp-Key-DB-Extractor/ WhatsApp Viewer - https://github.com/andreas-mausch/whatsapp- viewer iOS Restriction Bruteforce - https://github.com/thehappydinoa/iOSRestrictionBruteForce
- Questions
- SHOUT OUTS / THANKS @MagnetForensics @AccessData @Cheeky4n6Monkey @NowSecure @Ahoog42 @DigitalDetectiv @VirusTotal @NVISO_BE @radareorg @maridegrazia