Pining for Data

Pining for data

Acquiring and Analysing a PinePhone (Manjaro) Kathryn Hedley @4enzikat0r Why am I here?

• To learn about PinePhones

• How to acquire data from a device

• What data is stored on a PinePhone

• Where some data of interest is stored Wait, what’s a PinePhone? PinePhone 101

• Open source smartphone • Intended to deliver functional Linux phone to users & create a market for Linux-based smartphones • Supports existing Linux phone projects (https://wiki.pine64.org/wiki/PinePhone_Software_Releases): • Ubuntu Touch • Manjaro • Mobian • Fedora • Many more! • https://www.pine64.org/pinephone/ Meet my PinePhone – Piney McPinephone Purchased directly from https://pine64.com/ Cracking passwords for fun

• root user password: root • manjaro user password: 123456 • (both users have admin rights & can sudo) …or just Google it!

https://wiki.pine64.org/wiki/PinePhone

What happens when you connect the device via USB? Hard route – UART - flick a switch & buy a cable

Default state: UART enabled: UART cable:

https://pine64.com/product/pinebook-pinephone-pinetab-serial-console Easy route – Terminal, dd & SD card

• Open Terminal • Default pin code: 123456 • Can’t change in Settings • (Can change in Terminal with passwd) • Mount SD card • sudo mkdir /mnt/sdcard • sudo mount /dev/mmcblk0p1 /mnt/sdcard • Image device • sudo dd if=/dev/mmcblk2 of=/mnt/sdcard/mmcblk2.dd • Unmount SD card • sudo umount /mnt/sdcard

Data commonly found on Linux systems

• Operating system information • Device identifiers • Device suspend & reboot events • USB cable connection events not found • Bash history • Recent activity • Network connections OS version information

• \etc\lsb-release Device ID

• \etc\machine-id Device suspend events

• \var\log\pp-suspend.log • NOT updated during testing Device boot, reboot, login events

• \var\log\wtmp (btmp & lastlog are empty) • Timestamps are empty & not properly parsed by last command Bash history

• \home\manjaro\.bash_history NOTE: only updated on device shutdown/reboot Recent activity

• \home\manjaro\.local\share\rece ntly-used.xbel • SOME recent events: • Image file viewed: IMG20210405202000.jpg (double click) – 5 April 2021 19:22 UTC+2 • Photo added to contact – 5 April 2021 21:00 UTC+1 • Text file created using gedit application – 5 April 2021 22:22 UTC+1 • Timestamps appear to be in device local time (very few examples to base this on!) • Not consistently updated WiFi connections

• \etc\NetworkManager\system-connections\ • One file per remembered SSID - .nmconnection • Contains: SSID, UUID, security info, password • ‘Forgotten’ network nmconnection files deleted (can be carved using ‘[connection]’ header) Phone-specific data

• Software - Installed applications • Calls - Call logs • Chatty - SMS messages (MMS not possible on my PinePhone) • Telegram Messenger • Contacts • Megapixels – Photographs taken with the camera • Calendar entries • To Do - Task lists • Text Editor - Documents • Firefox - Browser history • Map data Installed applications (Software)

• \var\log\pacman.log • Includes prerequisites, so quite noisy! Call Log (calls)

• \home\manjaro\.local\share\calls\records.db • Inbound field: 0 = outgoing call, 1 = incoming call SMS Messages (chatty) – SQLite database

• \home\manjaro\.purple\chatty\db\chatty-history.db • Timestamps are Unix numeric values • Direction: -1 = outgoing (sent), 1 = incoming (received) SMS Messages (chatty) – HTML files

• \home\manjaro\.purple\logs\mm-sms\sms • One subfolder per sender/recipient phone number, one HTML file per date • Includes sent or received SMS message SMS Messages (chatty) – XML list of SMS contacts

• \home\manjaro\.purple\blist.xml • Lists all senders/recipients for which you have communicated via SMS • ‘name’ matches that shown to the user i.e. phone number or organization name • ‘alias’ only present for device contacts • 'chatty-unknown-contact’ only present for contacts not in device contacts Telegram

• \home\manjaro\.local\share\TelegramDesktop Contacts

• \home\manjaro\.local\share\evolution\addressbook\system\contacts.db • folder_id table • uid = unique ID – links to folder_id_phone_list table (phone number) & folder_id_email_list (email address) • Rev = last modified date Contact photos

• \home\manjaro\.local\share\evolution\addressbook\system\photos\ • PNG files named for contact’s UID - _photo-file0.image%2Fpng Photographs taken with the camera (Megapixels)

• \home\manjaro\Pictures\ Photograph thumbnails… maybe!

• \home\manjaro\.cache\thumbnails\ • Only one thumbnail created here during testing Calendar entries

• \home\manjaro\.local\share\evolution\calendar\ system\calendar.ics • vCalendar file, starts ‘BEGIN:VCALENDAR’ • Each event starts BEGIN: VEVENT • Each event ends END: VEVENT • UID = unique event ID • DTSTAMP = CREATED = event creation date/time • (so far!) • DTSTART = event start • DTEND = event end • SUMMARY = event name • LAST-MODIFIED – event last modified date/time Tasklists (To Do)

• \home\manjaro\.config\evolution\sources\<40-char hex string>.source • One per ‘List’, includes list name (DisplayName) but not individual tasks Tasklist tasks (To Do)

• \home\manjaro\.local\share\evolution\tasks\\tasks.ics • vCalendar file, starts ‘BEGIN:VCALENDAR’ Tasklist tasks (To Do)

Each individual task in this file has the structure: • Date/time values appear to be in local time

BEGIN:VTODO to the device (UTC+2 in this case) UID:618e6a9d87ba9708889751c729490e705f440d6c • (again, only a small amount of testing done DTSTAMP:20210405T191820Z so far) SUMMARY:tasky mctaskface 1 CREATED:20210405T191821Z • Summary is the task name within the LAST-MODIFIED:20210405T191821Z tasklist END:VTODO Documents created using Text Editor

• \home\manjaro\Documents\ Firefox (desktop version) history

• \home\manjaro\.mozilla\firefox\firefox.default\places.sqlite • \home\manjaro\.mozilla\firefox\tk0topo4.default-release\places.sqlite Firefox cookies

• \home\manjaro\.mozilla\firefox\firefox.default\cookies.sqlite • \home\manjaro\.mozilla\firefox\tk0topo4.default-release\cookies.sqlite Firefox cache

• \home\manjaro\.mozilla\firefox\firefox.default\cache2\ • No cache2 folder in \home\manjaro\.mozilla\firefox\tk0topo4.default-release\ Firefox search history

• \home\manjaro\.mozilla\firefox\firefox.default\formhistory.sqlite • \home\manjaro\.mozilla\firefox\tk0topo4.default-release\formhistory.sqlite Map searches

• \home\manjaro\.local\share\maps-places.json • “name” – search term • GPS co-ordinates, altitude, date/time search conducted (UNIX numeric) Map tiles

• \home\manjaro\.cache\champlain\mapbox.streets-v11\ Future stuff to think about

• Geary (email app) wouldn’t open during testing • Suspect data would be stored in \home\manjaro\.local\share\evolution\mail • Unconfirmed • Other Linux variants – look at re-flashing device & doing the same evaluation process Cheatsheet

https://www.khyrenz.com/blog/pinephone-forensics/

…so you don’t actually need to remember anything I just said!