Mobile Forensics on a Shoestring Budget

Senior Computer Forensic Analyst à ASIC
30 May 2018

Contenu connexe


Mobile Forensics on a Shoestring Budget

  2. WHY?  Commercial mobile forensic suites are quite expensive  Many “automated” mobile forensic suites miss vital data  In-depth mobile forensic analysis will produce the best results  And teach you to be a better forensic analyst
  3. WHAT YOU WILL LEARN  Device Acquisition (iOS & Android)  Lock Bypasses Methods  Working with databases  Recovering deleted records  3rd Party IM Decryption  WeChat  WhatsApp  Mobile Malware  Decompiling Mobile Applications  Protections from Mobile Malware
  4. DEVICE ACQUISITION When we talk about mobile forensic acquisition there are a couple of methodologies Physical With Boot Loader / root / jail break Logical Logical with applet File System JTAG Chip-Off
  6. MAGNET ACQUIRE  Allows acquisition of Android & iOS mobile devices  As well as HDs & USB mass storage devices  Physical & Logical acquisition methods available  Android:  Rooting is available for Android devices  For Logical acquisition runs an applet (as well as ADB backup)  iOS:  iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data  Full extraction for jailbroken devices
  7. iTUNES BACKUPS  iOS device backups through Apple iTunes (Windows & OSX)  Windows Usersuser_nameAppDataRoamingApple ComputerMobileSyncBackup  OSX ~/Library/Application Support/MobileSync/Backup/  iTunes backups are ZIP archives  Can be extracted with commodity tools such as 7zip  Santoku also features an iPhone Backup Analyzer
  8. Android Debug Bridge (ADB)  Can be used (with Developer Mode enabled) to create file system backup 1.adb start-server 2.adb devices 3.adb backup –apk –obb –shared –all  If device not jail broken/rooted does not grab all application databases/secure files  ADB available for OSX, Windows & Linux
  9. LOCK BYPASSES  Santoku Linux features Android Brute Force Script for dealing with PIN locks  Android gesture lock bypass via ADB  Gesture pattern stored in /data/system/gesture.key adb shell rm /data/system/gesture.key  iPhone PIN bypass  Vulnerabilities in iOS that allow Siri to be used to get into device  bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html  Depending on device/version of iOS brute-force scripts available for breaking PIN/passcode
  10. APPLICATION DATABASES  Both Android and iOS operating systems rely on SQLite databases to store pertinent system data  Each installed application will also have a corresponding SQLite database, including web- browser applets  SQLite is an open source database format and there are many viewers available to examine the underlying table data  SQLiteQ  Firefox SQLite DB Viewer extension  SQLite Studio  SQLite Database files  Primary data file (.db)  Journal Files (.db-journal)  Write Ahead Logs (.db-wal)  Shared memory file (.db-shm)  indicates WAL mode
  11. EXTRACTING THE MOST FROM DATABASES  Automated tools:  Only support some databases  Only examine some table data (not all tables)  Do not always examine WAL or Journal files  Example  Android device, automated forensics suite extracted data from Chrome History SQLite database, extracting data from “urls” table but had completely missed the “visits” table. Not only did this provide more records, it provided more metadata to report on (e.g. visit duration is only recorded in “visits” table).  Simple SQL Inner Join syntax will allow sensible data extraction from database  Chrome History  SELECT * FROM urls INNER JOIN visits ON =  Safari History  SELECT * FROM history_items INNER JOIN history_visits ON = history_visits.history_item
  12. RECOVERING DELETED RECORDS FROM DBS  Python scripts to recover deleted entries from main SQLite database files  Including GUI version, built with portable python  Perl script to recover deleted entries from .db-journal component of SQLite databases
  13. 3RD PARTY IM DECRYPTION - WECHAT  WeChat uses the SQLcipher encryption scheme to protect chat messages  EnMicroMsg.db stores messages/chat history  SQLcipher key is actually derived from IMEI of device and unique identifier (UIN) as registered with WeChat  UIN is the unique identifier that you can get from the system_config_prefs.xml file in the WeChat application folder  Calculate the MD5 hash of IMEI number followed by UIN, then use the first 7 characters as the SQLcipher key  E.g. if IMEI = 358711000000001 and UIN = 1234567890  Then calculate MD5 of 3587110000000011234567890  ee130f28c26387b09ce7c2ec2df21efc  First 7 digits are ee130f2  this is the SQLcipher key  Once decryption key generated the SQLite database can be decrypted with many tools, including SQLite Studio, where you can manually add the SQLcipher decryption key
  14. 3RD PARTY IM DECRYPTION - WHATSAPP  On Android devices WhatsApp backs up chat databases to SD card (if available) at /WhatsApp/Databases/msgstore.db.crypt  SQLite databases are encrypted but can be decrypted using the following methodology: 1. Enable ADB & USB debugging on device, connect device to computer 2. Run WhatsApp Key Extractor on computer  This will extract the decryption key from WhatsApp 3. Use WhatsApp Viewer to open encrypted database and provide the decryption key  This will generate a decrypted SQLite database that can be opened with any SQLite tool
  15. MOBILE MALWARE  If fortunate enough to have a binary acquisition you can mount the file system to scan for malware  AccessData MPE has a similar functionality to FTK Imager that lets you mount these mobile forensic images and interpret the underlying file system  Once mounted can be scanned with 3rd party AV tools  Santoku also features Android & iOS file system support  YAFFEY for mounting/reading yaffs2  Various online mobile malware scanning services are available  NVISION ApkScan (API is available)  OPSWAT MetaDefender  If weary about uploading apps to these services, hash the APK/IPA and scan hashes in online service such as VirusTotal or MetaDefender
  17. DECOMPILING MOBILE APPLICATIONS  Android APKs & iOs IPAs are just ZIP archives, can be opened with 7Zip or similar  To delve deeper into these apps you need to decompile/analyse them  Determine the permissions allowed by the application  Determine what remote communications are made by the application  Determine what functions are called by the application
  18. DECOMPILING MOBILE APPLICATIONS – APK  AndroidManifest.xml  Contains permissions allowable by the application  Classes.dex is a Dalvik Executable file  Dex2Jar to convert to JAVA applet (JAR)  Included in Santoku Linux, but can downloaded for Windows  Converted JAR can be opened in 7Zip, analysed etc.  APKAnalyser – Sony Mobile (open source)Android APK analysing framework  Can also be decompiled/analysed in Radare
  19. DECOMPILING MOBILE APPLICATIONS – IPA  IPAs are encrypted with Apple's FairPlay DRM, so you need to decrypt them before analysis Requires jail broken device  Clutch Used to decrypt IPA files  creates decrypted IPA file (ZIP archive) Needs to be run on the specific iOS device where the app is installed  Otool Can be used to inspect the binary, get a list of functions  Radare for dynamic analysis
  20. PROTECTIONS FROM MOBILE MALWARE  Do not jail break or root your device  Do not allow unsigned apps to be installed (developer mode)  Only download/purchase apps from authorised/legitimate stores (Google Play, Apple App Store)  Pay attention to what you download/install, don't fall for lookalike apps  Threat actors will modify legitimate apps to inject them with malware MSFVenom APKinjector Xcode – bootleg integrated development environment (IDE) infecting iOS apps
  23. RESOURCES / REFERENCES  OPSWAT MetaDefender –  NVISO ApkScan –  OWASP iOS Application Security Testing –  Static Analysis of IPA Files –  Android malware analysis with Radare – malware-analysis-radare-triada-trojan/  Injecting Metasploit Payloads into Android Applications –  Python Script to recover deleted SQLite entries – parser-to-recover-deleted-sqlite.html  iOS Triage –  Android SMS grep Perl Script - 
  24. TOOLS  Santoku Linux –  AccessData MPE – solutions  Magnet Acquire – community/  7Zip –  DCode – tools/  HashCalc –  Dex2Jar –  iNalyzer –  SQLiteQ –  Radare –  Clutch –  Otool – part of Xcode toolset  ApkAnalyzer –  APKinjector –  ADB –  Python Script to recover deleted SQLite entries –  Android SMS grep Perl Script -  SQLite Studio -  WhatsApp Key Extractor -  WhatsApp Viewer - viewer  iOS Restriction Bruteforce -
  25. Questions
  26. SHOUT OUTS / THANKS @MagnetForensics @AccessData @Cheeky4n6Monkey @NowSecure @Ahoog42 @DigitalDetectiv @VirusTotal @NVISO_BE @radareorg @maridegrazia