View
263
Download
2
Category
Preview:
DESCRIPTION
Open Source Mobile Device Forensics
Citation preview
2014, Basis Technology 1
Open Source Mobile Device Forensics
Heather Mahalik
2014, Basis Technology 2
iOS Devices Zdziarski Methods Boot Rom
Vulnerability Exploits Custom Ramdisk via
SSH The iPhone Data
Protection Tools iTunes
Android Devices viaLogical ADB Backup OSAF Toolkit Santoku DD
Not supported for all devices
JTAG/Chip-off
Device Acquisition
2014, Basis Technology 3
How old is the device?
Is the device locked? Is the device
damaged? Are you Law
Enforcement?
Considerations
2014, Basis Technology 4
LiME (Linux Memory Extractor) First tool to support full
memory captures of Android smartphones!
TCP dump or saved to SD card
Uses ADB
Android Memory Capture
2014, Basis Technology 5
iOS Devices iPhone Backup Analyzer iExplorer iBackupBot Scalpel SQLite Browser Plist Editor WhatsApp Extract
Contacts.sqlite and ChatStorage.sqlite
Manual examination Customized scripts
Android Devices Autopsy
Android Module WhatsApp Extract
wa.db and msgstore.db Scalpel SQLite Browser Hex Editor Anything capable of mounting
EXT FTK Imager Customized scripts Manual examination
Analytical Toolsto Name a Few
2014, Basis Technology 6
Commercial tools are expensive They still miss data They dont parse third party applications
completely They omit relevant databases when extracting
data They dont support all devices
Open Source tools See above!
Reality Check!
2014, Basis Technology 7
/private/var/mobile/library/Spotlight/com.apple.mobilesms/ smssearchindex.sqlite
Provides SMS message data Active and deleted messages Should be compared to sms.db May show traces of attachments (metadata)
*Not commonly parsed by any tool!
Example iOS Examination
2014, Basis Technology 8
GUI built on The Sleuth Kit Next version (v3.1.1) will include Android
module Customizable Complete analytical platform Android dumps can be loaded as normal disk
images or file folders
Autopsy
2014, Basis Technology 9
Android Examination
2014, Basis Technology 10
Parsed from Contacts2.db file Raw_contacts and ABPerson
Examining Contacts
2014, Basis Technology 11
Examining the Raw Contacts (1)
2014, Basis Technology 12
Examining the Raw Contacts (2)
2014, Basis Technology 13
Parses messages and chats from SMS, MMS and some third party applications
Parsing Messages and Chats
2014, Basis Technology 14
Encryption vs. Encoding Base64 decoder built into Autopsy Android
module
Encoding Built into Autopsy
2014, Basis Technology 15
Google Maps, Browser, Cache and EXIF location parsing
Geolocation Support
2014, Basis Technology 16
Geolocation Reporting
2014, Basis Technology 17
EXIF Parser
Graphics and Videos
Examining Multimedia Files
2014, Basis Technology 18
Active files shown in viewer
Deleted must be examined/recovered in Hex
Recovering Deleted SQLite Data
2014, Basis Technology 19
Mari DeGrazias SQLite Parser
Custom Scripts
2014, Basis Technology 20
http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf
www.az4n6.blogspot.com https://viaforensics.com/blog/ http://www.sleuthkit.org/ Practical Mobile Forensics Bommisetty,
Mahalik, Tamma www.smarterforensics.com https://code.google.com/p/lime-forensics/
References, Sources and Suggested Reading
2014, Basis Technology 21
Heather Mahalik Basis Technology
www.basistech.com hmahalik@basistech.com Twitter: @heathermahalik
Questions
Slide Number 1Slide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15Slide Number 16Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21
Recommended