2014, Basis Technology 1

Open Source Mobile Device Forensics

Heather Mahalik

2014, Basis Technology 2

iOS Devices Zdziarski Methods Boot Rom

Vulnerability Exploits Custom Ramdisk via

SSH The iPhone Data

Protection Tools iTunes

Android Devices viaLogical ADB Backup OSAF Toolkit Santoku DD

Not supported for all devices

JTAG/Chip-off

Device Acquisition

2014, Basis Technology 3

How old is the device?

Is the device locked? Is the device

damaged? Are you Law

Enforcement?

Considerations

2014, Basis Technology 4

LiME (Linux Memory Extractor) First tool to support full

memory captures of Android smartphones!

TCP dump or saved to SD card

Uses ADB

Android Memory Capture

2014, Basis Technology 5

iOS Devices iPhone Backup Analyzer iExplorer iBackupBot Scalpel SQLite Browser Plist Editor WhatsApp Extract

Contacts.sqlite and ChatStorage.sqlite

Manual examination Customized scripts

Android Devices Autopsy

Android Module WhatsApp Extract

wa.db and msgstore.db Scalpel SQLite Browser Hex Editor Anything capable of mounting

EXT FTK Imager Customized scripts Manual examination

Analytical Toolsto Name a Few

2014, Basis Technology 6

Commercial tools are expensive They still miss data They dont parse third party applications

completely They omit relevant databases when extracting

data They dont support all devices

Open Source tools See above!

Reality Check!

2014, Basis Technology 7

/private/var/mobile/library/Spotlight/com.apple.mobilesms/ smssearchindex.sqlite

Provides SMS message data Active and deleted messages Should be compared to sms.db May show traces of attachments (metadata)

*Not commonly parsed by any tool!

Example iOS Examination

2014, Basis Technology 8

GUI built on The Sleuth Kit Next version (v3.1.1) will include Android

module Customizable Complete analytical platform Android dumps can be loaded as normal disk

images or file folders

Autopsy

2014, Basis Technology 9

Android Examination

2014, Basis Technology 10

Parsed from Contacts2.db file Raw_contacts and ABPerson

Examining Contacts

2014, Basis Technology 11

Examining the Raw Contacts (1)

2014, Basis Technology 12

Examining the Raw Contacts (2)

2014, Basis Technology 13

Parses messages and chats from SMS, MMS and some third party applications

Parsing Messages and Chats

2014, Basis Technology 14

Encryption vs. Encoding Base64 decoder built into Autopsy Android

module

Encoding Built into Autopsy

2014, Basis Technology 15

Google Maps, Browser, Cache and EXIF location parsing

Geolocation Support

2014, Basis Technology 16

Geolocation Reporting

2014, Basis Technology 17

EXIF Parser

Graphics and Videos

Examining Multimedia Files

2014, Basis Technology 18

Active files shown in viewer

Deleted must be examined/recovered in Hex

Recovering Deleted SQLite Data

2014, Basis Technology 19

Mari DeGrazias SQLite Parser

Custom Scripts

2014, Basis Technology 20

http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf

www.az4n6.blogspot.com https://viaforensics.com/blog/ http://www.sleuthkit.org/ Practical Mobile Forensics Bommisetty,

Mahalik, Tamma www.smarterforensics.com https://code.google.com/p/lime-forensics/

References, Sources and Suggested Reading

2014, Basis Technology 21

Heather Mahalik Basis Technology

www.basistech.com hmahalik@basistech.com Twitter: @heathermahalik

Questions

Slide Number 1Slide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15Slide Number 16Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21