Open Source Mobile Device Forensics

Heather Mahalik

© 2014, Basis Technology 1 Device Acquisition

iOS Devices Android Devices • Zdziarski Methods • viaLogical • Boot Rom • ADB Backup Vulnerability Exploits • OSAF Toolkit – Custom Ramdisk via • Santoku SSH – The iPhone Data • DD Protection Tools – Not supported for all devices • iTunes • JTAG/Chip-off

© 2014, Basis Technology 2 Considerations

• How old is the device? • Is the device locked? • Is the device damaged? • Are you Law Enforcement?

© 2014, Basis Technology 3 Android Memory Capture

• LiME (Linux Memory Extractor) – First tool to support full memory captures of Android smartphones! – TCP dump or saved to SD card – Uses ADB

© 2014, Basis Technology 4 Analytical Tools…to Name a Few

iOS Devices Android Devices • iPhone Backup Analyzer • Autopsy • iExplorer – Android Module • iBackupBot • WhatsApp Extract • Scalpel – wa.db and msgstore.db • SQLite Browser • Scalpel • Plist Editor • SQLite Browser • WhatsApp Extract • Hex Editor – Contacts.sqlite and • Anything capable of mounting ChatStorage.sqlite EXT • Manual examination • FTK Imager • Customized scripts • Customized scripts • Manual examination © 2014, Basis Technology 5 Reality Check!

• Commercial tools are expensive – They still miss data – They don’t parse third party applications completely – They omit relevant databases when extracting data – They don’t support all devices • Open Source tools – See above!

© 2014, Basis Technology 6 Example – iOS Examination

/private/var/mobile/library/Spotlight/com.apple.mobilesms/ – smssearchindex.sqlite

• Provides SMS message data – Active and deleted messages – Should be compared to sms.db – May show traces of attachments (metadata)

*Not commonly parsed by any tool! © 2014, Basis Technology 7 Autopsy

• GUI built on The Sleuth Kit • Next version (v3.1.1) will include Android module • Customizable • Complete analytical platform • Android dumps can be loaded as normal disk images or file folders

© 2014, Basis Technology 8 Android Examination

© 2014, Basis Technology 9 Examining Contacts

• Parsed from Contacts2.db file – Raw_contacts and ABPerson

© 2014, Basis Technology 10 Examining the Raw Contacts (1)

© 2014, Basis Technology 11 Examining the Raw Contacts (2)

© 2014, Basis Technology 12 Parsing Messages and Chats

• Parses messages and chats from SMS, MMS and some third party applications

© 2014, Basis Technology 13 Encoding Built into Autopsy • Encryption vs. Encoding • Base64 decoder built into Autopsy Android module

© 2014, Basis Technology 14 Geolocation Support

• Google Maps, Browser, Cache and EXIF location parsing

© 2014, Basis Technology 15 Geolocation Reporting

© 2014, Basis Technology 16 Examining Multimedia Files

• EXIF Parser

• Graphics and Videos

© 2014, Basis Technology 17 Recovering Deleted SQLite Data

• Active files shown in viewer

• Deleted must be examined/recovered in Hex

© 2014, Basis Technology 18 Custom Scripts

• Mari DeGrazia’s SQLite Parser

© 2014, Basis Technology 19 References, Sources and Suggested Reading

• http://www.zdziarski.com/blog/wp- content/uploads/2013/05/iOS-Forensic- Investigative-Methods.pdf • www.az4n6.blogspot.com • https://viaforensics.com/blog/ • http://www.sleuthkit.org/ • Practical Mobile Forensics –Bommisetty, Mahalik, Tamma • www.smarterforensics.com • https://code.google.com/p/lime-forensics/

© 2014, Basis Technology 20 Questions

Heather Mahalik Basis Technology www.basistech.com [email protected] Twitter: @heathermahalik

© 2014, Basis Technology 21