Mobile Forensics

Tecniche e strumenti per l'acquisizione e l'analisi di dispositivi mobili

Mattia Epifani – Litiano Piccin IISFA

L’International Information Systems Forensics Association (IISFA) è un organizzazione senza scopo di lucro con la missione di promuovere la disciplina dell’information forensics attraverso la divulgazione, l’apprendimento e la certificazione.

L’associazione si compone di :

 una Board of Directors che rappresenta la cabina di regia e di governo della stessa .

 Di un Comitato Scientifico ed un Comitato Tecnico, composti da esponenti di rilievo ed esperti del settore i quali, volontariamente, contribuiscono al raggiungimento degli obiettivi dell’associazione.

 Rendere disponibile un ambiente professionale e stimolante per lo scambio di idee e di informazioni relative alle tematiche del Forensics tra esperti del settore essendo anche il punto di riferimento per tutti coloro che si avvicinano a tali argomenti .

 Combinare le esperienze reali con le conoscenze dei professionisti dell’information security.

 Creare un network di relazioni tra i membri dell’associazione, favorendo la nascita di opportunità per il miglioramento e la crescita professionale.

 Difendere la cultura della professionalità anche attraverso la diffusione della certificazione CIFI.

 La formazione dei soci è uno dei punti chiave dello statuto dell’associazione IISFA.

 L’offerta formativa dell’associazione comprende:  Seminari di aggiornamento.  Convegni.  Pubblicazioni.  Sito web e newsletter.  Corso Intensivo di Computer e Mobile Forensics.  Corsi intensivi dedicati.  Piattaforma di e-learning.  Piattaforma di social network.  Certificazione CIFI.

 Corso Intensivo di Computer e Mobile Forensics

 Due edizioni annuali.  Milano (febbraio/marzo) e Roma (ottobre/novembre).  Sconti per soci CLUSIT, grazie a convenzione.  Comprende il voucher per sostenere la certificazione CIFI.

 Corsi dedicati

 Windows Forensics (2 giorni)  Macintosh Forensics (2 giorni)  Memory Forensics (2 giorni)  Malware Forensics (3 giorni)  Live Forensics (1 giorno)  Internet Forensics (1 giorno)  Mobile Forensics (2 giorni)  iOS Forensics (1 giorno)  Android Forensics (1 giorno)

© CLUSIT 2012 – Mobile Forensics – Mattia Epifani – Litiano Piccin 10 © CLUSIT 2012 – Mobile Forensics – Mattia Epifani – Litiano Piccin 11 © CLUSIT 2012 – Mobile Forensics – Mattia Epifani – Litiano Piccin 12 MOBILE FORENSICS 03/05/2012 Rome

1. What ‘s the GOAL? 2. What ‘s device? 3. Which action when i receive it? 4. Which Software for acquisition? 5. How can i isolate it during the data acquisition?

“…dica il consulente, previa copia delle memorie, se gli SMS sono stati alterati ...”.

“...estragga tutte le immagini contenute con particolare attenzione per quelle…”.

“…recuperi tutte le chat presenti nel telefono con particolare attenzione per…”. “What ‘s the GOAL?”

1. What ‘s the GOAL? 2. What ‘s device? 3. Which action when i receive it? 4. Which Software for acquisition? 5. How can i isolate it during the data acquisition?

“What ‘s device?”

1. What ‘s the GOAL? 2. What ‘s device? 3. Which action when i receive it? 4. Which Software for acquisition? 5. How can i isolate it during the data acquisition?

“Which action when i receive it?”

1. What ‘s the GOAL? 2. What ‘s device? 3. Which action when i receive it? 4. Which Software for acquisition? 5. How can i isolate it during the data acquisition?

“Which Software for acquisition?”

1. What ‘s the GOAL? 2. What ‘s device? 3. Which action when i receive it? 4. Which Software for acquisition? 5. How can i isolate it during the data acquisition?

AT COMMANDS.

AT commands are used to control a modem. AT is the abbreviation of ATtention. Every command line starts with "AT". Many of the commands that are used to control wired dial-up modems, such as ATD (Dial), ATA (Answer), ATH (Hook control) and ATO (Return to online data state), are also supported by GSM/GPRS modems and mobile phones. Besides this common AT command set, GSM/GPRS modems and mobile phones support an AT command set that is specific to the GSM technology, which includes SMS-related commands like AT+CMGS (Send SMS message), AT+CMSS (Send SMS message from storage), AT+CMGL (List SMS messages) and AT+CMGR (Read SMS messages). http://www.developershome.com/sms/atCommandsIntro.asp

“Which Software for acquisition?”

1. What ‘s the GOAL? 2. What ‘s device? 3. Which action when i receive it? 4. Which Software for acquisition? 5. How can i isolate it during the data acquisition?

“How can i isolate it during the data acquisition?”

Inside The Mobile Forensics

Art. 359 Consulenti tecnici del pubblico ministero.

Art. 360 Accertamenti tecnici non ripetibili.

“How it work?”

Don’t start a work without the PUK

Il Personal Unblocking Code (PUC) o Personal Unblocking Key (PUK) è un codice usato nei telefoni cellulari GSM e in alcune Smart card per sbloccare un dispositivo precedentemente bloccato.

È principalmente utilizzato nel settore della telefonia. La maggior parte dei telefoni cellulari e delle rispettive SIM card è protetto da codice PIN per prevenirne l'uso non autorizzato. Dopo l'errato inserimento di quest'ultimo per 3 volte consecutive è necessario inserire il codice PUK. Esso è fornito dall'operatore di rete, non è modificabile dall'utente ed è generalmente composto da 8 cifre. Dopo 10 inserimenti errati consecutivi di quest'ultimo la SIM card viene bloccata ed è necessario procedere alla sostituzione.

http://it.wikipedia.org/wiki/Codice_PUK

”Memory Card can treated be like an Hard Disk”

File Carving.

File Carving, or sometimes simply Carving, is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media.

http://www.forensicswiki.org/wiki/File_Carving

“If you can, use always CABLE!”

“ISOLATE THE DEVICE”

Keep it secure from any incoming communications from the networks.

“PASSWORD/PATTERN LOCK”

“REMOVE PASSWORD/PATTERN LOCK”

IPHONE

ANDROID BLACKBERRY

“AIRPLANE MODE”

ANDROID

IPHONE BLACKBERRY

http://www.cftt.nist.gov/ http://www.cftt.nist.gov/mobile_devices.htm

http://www.nij.gov/pubs-sum/232383.htm

Software Hardware

“Which Software for acquisition?”

Software Hardware

“Which Software for acquisition?”

Logical Physical

“Which Software for acquisition?”

Logical Physical

“Which Software for acquisition?”

•Device Settings. •SMS/MMS. •Phone Book , Calendar, Task and Notes. •Call History (Received, Dialed and Missed). •Audio and Video recording. •Pictures. •Emails. •Chat and Skype message.

“Which Software for acquisition?”

1. Faraday Bag. 2. Jammer (PHONE and WI-FI/BLUETOOTH). 3. Airplane mode. 4. SIM Cloning.

“FARADAY BAG?”

Max Power trasmit from a base (GSM): +55dBm (320W) Power receive in a building (GSM): - 30dBm ~ -90dBm

Min Power receive from a mobile device: -103dBm

“FARADAY BAG?”

GSM 900MHZ With “Faraday Phone Shield”: -19DB

“FARADAY BAG?”

GSM 2100 MHZ With “Faraday Phone Shield”: -30DB

“FARADAY BAG?”

“Bluetooth?”

“JAMMER?”

Portable (2-3 hours) Base Shielding Radius: 1-15 metri Shielding Radius: 10-40 metri Max Power: 0.6W Max Power: 8W

“JAMMER?”

“I am alone?”

“JAMMER?”

“Is it switch on?”

http://www.megalab.it/5062/bloccare-una-rete-wireless-e-un-gioco-da-ragazzi

“AIRPLANE MODE?”

Remember to document the handset changes.

“SIM CLONING”

THE GOAL: “switch on the phone without GSM/3G jammer or faraday bags”.

“Can i use my personal (or a new one) SIM?”

NO!!!

“SIM CLONING”

“Why not?”

•You can lose information. •You can receive SMS or phone call. •Process in the phone can send information through the provider. •You can forget it inside the phone.

“Solutions?”

“Maybe…clone the sim !!!“

“SIM CLONING”

International mobile subscriber identity (IMSI) SIM cards are identified on their individual operator networks by a unique IMSI. Mobile operators connect mobile phone calls and communicate with their market SIM cards using their IMSIs.

Integrated circuit card identifier (ICC-ID) Each SIM is internationally identified by its ICC-ID. ICC-IDs are stored in the SIM cards and are also engraved or printed on the SIM card body during a process called personalization.

http://en.wikipedia.org/wiki/Subscriber_Identity_Module#Authentication_key_.28Ki.29

“SIM CLONING”

Authentication key (Ki) The Ki is a 128-bit value used in authenticating the SIMs on the mobile network. Each SIM holds a unique Ki assigned to it by the operator during the personalization process. The Ki is also stored on a database (known as Authentication Center or AuC) on the carrier's network.

The SIM card is designed not to allow the Ki to be obtained using the smart-card interface. Instead, the SIM card provides a function, Run GSM Algorithm, that allows the phone to pass data to the SIM card to be signed with the Ki. This, by design, makes usage of the SIM card mandatory unless the Ki can be extracted from the SIM card, or the carrier is willing to reveal the Ki. In practice, the GSM cryptographic algorithm for computing SRES_2 (see step 4, below) from the Ki has certain vulnerabilities which can allow the extraction of the Ki from a SIM card and the making of a duplicate SIM card.

http://en.wikipedia.org/wiki/Subscriber_Identity_Module#Authentication_key_.28Ki.29

“SIM CLONING”

“MicroSim?”

“SIM CLONING”

“No sim?”

INTRODUCTION - IPHONE.

“The iPhone is a line of smartphones designed and marketed by Apple Inc. The first iPhone was unveiled by Steve Jobs, then CEO of Apple, on January 9, 2007, and released on June 29, 2007. The 5th generation iPhone, the iPhone 4S, was announced on October 4, 2011, and released 10 days later. An iPhone can function as a video camera (video recording was not a standard feature until the iPhone 3GS was released), a camera phone, a portable media player, and an Internet client with email and web browsing capabilities, can send texts and receive visual voicemail, and has both Wi-Fi and 3G connectivity. The user interface is built around the device's multi-touch screen, including a virtual keyboard rather than a physical one. Third-party as well as Apple application software is available from the App Store, which launched in mid-2008 and now has over 500,000 "apps" approved by Apple”.

http://en.wikipedia.org/wiki/IPhone

INTRODUCTION - IPHONE.

“On October 17, 2007, Steve Jobs, in an open letter posted to Apple's "Hot News" weblog, announced that a software development kit (SDK) would be made available to third-party developers in February 2008. The iPhone SDK was officially announced and released on March 6, 2008, at the Apple Town Hall facility.

It is a free download, with an Apple registration, that allows developers to develop native applications for the iPhone and iPod Touch, then test them in an "iPhone simulator". However, loading an application onto a real device is only possible after paying an Apple Developer Connection membership fee. Developers are free to set any price for their applications to be distributed through the App Store, of which they will receive a 70% share”.

http://en.wikipedia.org/wiki/IPhone

INTRODUCTION - IPAD.

“The iPad is a line of tablet computers designed and marketed by Apple Inc., primarily as a platform for audio-visual media including books, periodicals, movies, music, games, apps and web content. Its size and weight fall between those of contemporary smartphones and laptop computers. The iPad runs on iOS, the same operating system used on Apple's iPod Touch and iPhone, and can run its own applications as well as iPhone applications. Without modification, the iPad will only run programs approved by Apple and distributed via the Apple App Store (with the exception of programs that run inside the iPad's web browser)”.

http://en.wikipedia.org/wiki/IPad

INTRODUCTION - IPAD.

“Like the iPhone, with which it shares a development environment (iPhone SDK, or software development kit, version 3.2 onwards), the iPad only runs its own software, software downloaded from Apple's App Store, and software written by developers who have paid for a developer's license on registered devices. The iPad runs almost all third-party iPhone applications, displaying them at iPhone size or enlarging them to fill the iPad's screen. Developers may also create or modify apps to take advantage of the iPad's features. Application developers use iPhone SDK for developing applications for iPad”.

http://en.wikipedia.org/wiki/IPad

INTRODUCTION - MODELS.

IPHONE: IPAD:

•iPhone -2007- A1203- 4,8,16 GB •iPad Wi-Fi -2010- 16,32,64 GB •iPhone 3G -2008- A1241- 8 ,16 GB •iPad Wifi-Fi/3G -2010- 16,32,64 GB •iPhone 3GS -2009- A1303- 8,16, 32 GB •iPad2 Wi-Fi -2011- 16,32,64 GB •iPhone 4 -2010- A1332- 8,16, 32 GB •iPad2 Wifi-Fi/3G -2011- 16,32,64 GB •iPhone 4S -2011- A1387- 16,32,64 GB •iPad3 Wi-Fi -2012- 16,32,64 GB •iPad3 Wi-Fi/4G -2012- 16,32,64 GB http://support.apple.com/kb/HT3939

INTRODUCTION - MODELS.

http://en.wikipedia.org/wiki/List_of_iOS_devices

INTRODUCTION - JAILBREAKING.

“iOS jailbreaking, or simply jailbreaking, is the process of removing the limitations imposed by Apple on devices running the iOS operating system through the use of custom kernels. Such devices include the iPhone, iPod touch, iPad, and 2nd Gen Apple TV. Jailbreaking allows users to gain root access to the operating system, allowing iOS users to download additional applications, extensions, and themes that are unavailable through the official Apple App Store. Jailbreaking is a form of privilege escalation, and the term has been applied to privilege escalation on other computer systems as well. The name refers to breaking the device out of its "jail“, a technical term used in Unix-style systems, for example FreeBSD jail. A jailbroken iPhone, iPod touch, or iPad running iOS can still use the App Store, iTunes, and other normal functions, such as making telephone calls. Unlike rooting an Android device, jailbreaking is necessary if the user intends to run software not authorized by Apple. A tethered jailbreak requires that the device be connected to a computer each time it needs to be booted; an untethered jailbreak allows the device to be powered without computer assistance”.

http://en.wikipedia.org/wiki/IOS_jailbreaking

INTRODUCTION - JAILBREAKING.

Tethered means "attached" to your Computer. You must boot your device by running code on it to use the exploit. Devices are tethered because there is one or more area where the device fails one or more signature check along the way to do the jailbreak. The device is able to boot because there is a way to execute code via USB that allows you to bootstrap.

IPHONE/IPAD – NORMAL BOOT.

iPhone security model & vulnerabilities - Cedric Halbronn Jean Sigwald (2010)

Apple root certificates are embedded in the “BootROM”. RSA signatures checked before moving to the next stage.

”BootROM” (called "SecureROM”) is the first significant code that runs on an iDevice. It is in read-only.

”Low Level Bootloader” runs several setup routines and checks the signature of ”iBoot” before jumping to it.

“iBoot” runs what is known as ”Recovery Mode” and has an interactive interface which can be used over USB or serial.

IPHONE/IPAD – RECOVERY MODE.

iPhone security model & vulnerabilities - Cedric Halbronn Jean Sigwald (2010)

“iBoot” runs what is known as ”Recovery Mode” and has an interactive interface which can be used over a USB or serial.

IPHONE/IPAD – DFU.

iPhone security model & vulnerabilities - Cedric Halbronn Jean Sigwald (2010)

“DFU” (Device Firmware Upgrade) state allow a device to be restored from any state.

The ”iBSS” bootstraps the ”iBEC”, which prepares and executes the Restore Ramdisk. In addition, it sends messages to iTunes on the restore to supervise the restore process.

IPHONE/IPAD – JAILBREAK EXPLOIT.

iPhone security model & vulnerabilities - Cedric Halbronn Jean Sigwald (2010)

Pwnage BootROM exploit: a way to flash Blackra1n (geohot - October 2009): exploit signature your iDevice with hacked firmware. checks in “iBoot” and “Kernel”.

IPHONE/IPAD – DFU EXPLOIT.

iPhone security model & vulnerabilities - Cedric Halbronn Jean Sigwald (2010) iPhone security model & vulnerabilities - Cedric Halbronn Jean Sigwald (2010)

Limera1n/greenpois0n (geohot/comex - October 2010): load original bootloaders and patch signature checks.

IPHONE/IPAD – iOS.

iOS is the operating system that runs on iPhone, iPod touch, and iPad devices. This operating system manages the device hardware and provides the technologies required to implement native applications.

IPHONE/IPAD – iOS.iOS.

The ”Cocoa Touch” layer contains the frameworks for building iOS applications (multitasking, touch-based input, push notifications ). The “Media Services” layer contains the graphics, audio, and video technologies. The “Core Services” layer contains the fundamental system services that all applications use. The “Core OS” layer contains the low-level hardware futures.

IPHONE/IPAD – FILE SYSTEM.

It is importance to note that the root partition here is mounted read/write. This is the result of the jailbreaking technique.

There are two partition type: “System” and “User” (Private). HFS Plus or HFS+ is a file system developed by Apple Inc. to replace System Partion is always in readonly their Hierarchical File System (HFS) as the primary file system used in Mac (if not jailbreak). OS. http://en.wikipedia.org/wiki/HFS_Plus

IPHONE/IPAD – FILE SYSTEM.

•SMS •Calendar •Photos •Camera •Youtube •Stocks •Maps •Weather •Clock •Calculator •Notes •Setting •ITunes •Phone •Mail •Safari •IPod

IPHONE/IPAD – DATA STRUCTURE.

The iDevice stores the information in two different type data structure:

•XML called “Pslist”. •SQLite database.

IPHONE/IPAD – PSLIST.

“In the Mac OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files. Property list files are often used to store a user's settings”.

http://en.wikipedia.org/wiki/Property_list

IPHONE/IPAD – SQLITE.

“SQLite is an ACID-compliant embedded relational database management system contained in a small (~275 kB) C programming library. SQLite implements most of the SQL standard, using a dynamically and weakly typed SQL syntax that does not guarantee the domain integrity. In contrast to other database management systems, SQLite is not a separate process that is accessed from the client application, but an integral part of it. SQLite read operations can be multitasked, though writes can only be performed sequentially”.

http://en.wikipedia.org/wiki/SQLite

IPHONE/IPAD – DEVICE PROTECTION.

Passcode policies. A device passcode prevents unauthorized users from accessing data stored on iDevice or otherwise gaining access to the device. iDevice allows you to select from an extensive set of passcode requirements to meet your security needs, including timeout periods, passcode strength, and how often the passcode must be changed.

IPHONE/IPAD – DEVICE PROTECTION.

Tips for using passcodes

•Simple passcodes are four digits long. You can disable simple passcode to require a longer passcode with alphanumeric characters.

•You can configure your device to automatically erase all contents (WIPE) after ten or more failed passcode attempts.

•MobileMe users can remotely enable or change their passcode using “Find My iPhone”.

•If you enter an incorrect passcode too many times, the device will be disabled temporarily.

http://support.apple.com/kb/HT4113

IPHONE/IPAD – DEVICE PROTECTION.

Local wipe iDevice can also be configured to automatically initiate a local wipe after several failed passcode attempts. This is a key deterrent against brute force attempts to gain access to the device. By default it will automatically wipe the device after 10 failed passcode attempts.

Remote wipe iDevice supports remote wipe. If a device is lost or stolen, the administrator or device owner can issue a remote wipe command that removes all data and deactivates the device.

IPHONE/IPAD – DEVICE PROTECTION.

File System Encryption: since iPhone 3GS, Apple offers 256-bit AES encoding hardware-based encryption to protect all data on the device. Disk encryption was designed to accomplish one important thing: instantaneous remote wipe. Disk wiping work by simply erasing the 256-bit AES key used to encrypt the data.

Data Protection: Apple develop a new encryption scheme that has the primary advantage of using the user’s passcode to create a key that is used to encrypt data on the device. When the phone is locked or turned off, the key is immediately erased making data secured on the device.

IPHONE/IPAD – FILE SYSTEM ENCRYPTION.

File System encryption protects the raw File System. If you were to remove and dump the contents of the NAND chip inside an iOS device, you’d find that the entire File System is encrypted using a single key, with the exception of actual files on the File system which are encrypted with other keys. The encryption key used to encrypt the File System is named “EMF!” and is stored into the “BLOCK 1” of the NAND.

Whenever a device is wiped or restored, this key is dropped (along with others), and a new key is created. Without the original “EMF!” key the structure of the File System cannot be recovered.

Copying the live File System from a process running on the device made the File System’s base encryption entirely transparent but file encrypted by “Data Protection” still remain encrypted.

IPHONE/IPAD – DATA PROTECTION.

“This provides an additional layer of protection for your email messages and attachments. Third- party applications can use the data protection APIs in iOS 4 and later to further protect application data”. http://support.apple.com/kb/HT4175

Data Protection enable encryption mechanism calling “Protection Class”. They used to enforce the access policies of files or/and credentials. For example some files/credentials are so important that the operating system should be able to decrypt them only when the device’s user interface is unlocked.

IPHONE/IPAD – DATA PROTECTION. http://dsd.gov.au/publications/iOS5_Hardening_Guide.pdf When a Protection Class is used each individual file is encrypted with a unique key. When any file on the File System is deleted, the unique key for that file is discarded, which make the file unrecoverable

IPHONE/IPAD – Data Protection & File System Encryption.

http://dsd.gov.au/publications/iOS5_Hardening_Guide.pdf

The File System Key (EMF!) is used to encrypt all data within the device.

The File Key is stored within the file’s metadata, which is itself encrypted by the file’s corresponding Class Key . Every file ha a unique file key.

The Device Key (Dkey) is stored within, and never divulged from, the Hardware Security Module (HSM). This acts to encrypt and decrypt files at will using the Device Key.

Dkey e EMF! are written in the block 1 of the NAND called PLOG.

IPHONE/IPAD – RAMDISK.

A RAM disk is a File System that resides in memory and is not physically written on disk. iPhone and iPad support this.

The technique used for iDevice software gains access to the operating system by booting an unsigned RAM disk from the iDevice resident memory using an exploit to hack the BootRom. This RAM disk is copied into the memory and booted by setting the appropriate kernel flags using Apple’s Mobile Device framework.

Once booted with custom Ramdisk, networking capabilities (like WI-FI) are not enabled by default. USBMUX is the protocol used by iTunes to talk to the booted iDevice and coordinate access to its iDevice services by other applications. USB multiplexing provides TCP connectivity over a USB port using SSL. Over this channel, iTunes uses AFC service to transfer files. But here we use this channel to establish a SSH connection and get a shell on the device.

IPHONE/IPAD – KEYCHAIN.

A keychain is an encrypted container that holds passwords for multiple applications and secure services. Keychains are secure storage containers, which means that when the keychain is locked, no one can access its protected contents. In Mac OS X, users can unlock a keychain— thus providing trusted applications access to the contents—by entering a single master password. In iOS, each application always has access to its own keychain items; the user is never asked to unlock the keychain. Whereas in Mac OS X any application can access any keychain item provided the user gives permission, in iOS an application can access only its own keychain items.

http://developer.apple.com/library/mac/#documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-TP9

Keychain use a SQLite database encrypted with the passcode.

IPHONE/IPAD – KEYCHAIN.

In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup.

https://developer.apple.com/library/mac/#documentation/security/conceptual/keychainServConcepts/

IPHONE/IPAD – DATA ACQUISITION.

Logical Acquisition

• ITUNES BACKUP. • FORENSICS SOFTWARE (no passcode).

Physical Acquisition

• JailBreaking. • FORENSICS SOFTWARE (DFU mode + Ramdisk).

IPHONE/IPAD – LOGICAL ACQUISITION.

The logical acquisition approach is based on acquiring a copy of the directories and various types of files found within the iDevice file system.

Logical backups are considered a rich source of data files that can help build evidence. They can also provide proof of the pairing relationship between the computer that has been previously synched with the iDevice if that computer was seized as part of the investigation.

IPHONE/IPAD – LOGICAL ACQUISITION - ITUNES BACKUP.

iTunes backup feature that utilizes Apple’s synchronization protocol to copy the iDevice live data to a forensic workstation. iTunes is the software application used by Apple to synchronize content on iDevice with a Computer. When the iDevice is synched with the computer, the device’s configuration, address book, calendar, images, SMS database, email accounts, web history, and other sorts of personal data is saved on the computer in backup files in a single directory.

By default, the iTunes application creates a backup of the iDevice data during the sync process. Is important to invoke the backup independently without initiating the synchronization to the forensic workstation.

IPHONE/IPAD – LOGICAL ACQUISITION - ITUNES BACKUP.

OS Backup Folder Windows XP C:\Documents and Setting\[username]\Application Data\Apple Computer\MobyleSync\Backup C:\Users\[username]\AppData\Roaming\Apple Window 7\Vista Computer\MobileSync\Backup Mac OS X Users/[username]/Library/Application Support/MobileSync/Backup

UDID (Unique Device Identifier)

IPHONE/IPAD – LOGICAL ACQUISITION - ITUNES BACKUP.

This is what iTunes backup from the iDevice:

Library_AddressBook_AddressBook.sqlitedb Library_Preferences_com.apple.calculator.plist Library_AddressBook_AddressBookImages.sqlitedb Library_Preferences_com.apple.celestial.plist Library_Calendar_Calendar.sqlitedb Library_Preferences_com.apple.commcenter.plist Library_CallHistory_call_history.db Library_Preferences_com.apple.mobilecal.alarmengine.plist Library_Cookies_Cookies.plist Library_Preferences_com.apple.mobilecal.plist Library_Keyboard_dynamic-text.dat Library_Preferences_com.apple.mobileipod.plist Library_LockBackground.jpg Library_Preferences_com.apple.mobilemail.plist Library_Mail_Accounts.plist Library_Preferences_com.apple.mobilenotes.plist Library_Mail_AutoFetchEnabled Library_Preferences_com.apple.mobilephone.plist Library_Maps_Bookmarks.plist Library_Preferences_com.apple.mobilephone.speeddial.plist Library_Maps_History.plist Library_Preferences_com.apple.mobilesafari.plist Library_Notes_notes.db Library_Preferences_com.apple.mobileslideshow.plist Library_Preferences_.GlobalPreferences.plist Library_Preferences_com.apple.mobiletimer.plist Library_Preferences_SBShutdownCookie Library_Preferences_com.apple.mobilevpn.plist Library_Preferences_SystemConfiguration_com.apple.AutoWake.plist Library_Preferences_com.apple.preferences.network.plist Library_Preferences_SystemConfiguration_com.apple.network.identification.plist Library_Preferences_com.apple.preferences.sounds.plist Library_Preferences_SystemConfiguration_com.apple.wifi.plist Library_Preferences_com.apple.springboard.plist Library_Preferences_SystemConfiguration_preferences.plist Library_Preferences_com.apple.stocks.plist Library_Preferences_com.apple.AppSupport.plist Library_Preferences_com.apple.weather.plist Library_Preferences_com.apple.BTServer.plist Library_Preferences_com.apple.youtube.plist Library_Preferences_com.apple.Maps.plist Library_Preferences_csidata Library_Preferences_com.apple.MobileSMS.plist Library_SMS_sms.db Library_Preferences_com.apple.PeoplePicker.plist Library_Safari_Bookmarks.plist Library_Preferences_com.apple.Preferences.plist Library_Safari_History.plist Library_Preferences_com.apple.WebFoundation.plist Library_Voicemail_.token

IPHONE/IPAD – LOGICAL ACQUISITION - ITUNES BACKUP.

Not always you need to force a backup of an iDevice if you have a recent backup of it. If the backup is encrypted you should use a brute force or dictionary attack. If your iDevice is protected by a passcode you can bypass it using the “Lockdown Certificate”.

/private/var/root/Library/Lockdown/pair_records/

This directory contains property lists with private keys used for pairing the device to a desktop machine. These records can be used to determine what desktop machines were paired and synced with the device. Certificates from this file will match certificates located on the desktop.

IPHONE/IPAD – LOGICAL ACQUISITION - ITUNES BACKUP.

OS PATH

Windows 7 C:\ProgramData\Apple\Lockdown

Windows Vista C:\Users\[username]\AppData\roaming\Apple Computer\Lockdown Windows XP C:\Documents an Settings\[username]\Application Data\Apple Computer\Lockdown Mac OS X /Users/[username]/Library/lockdown

IPHONE/IPAD – LOGICAL ACQUISITION – FORENSICS SOFTWARE.

IPHONE/IPAD – PHYSICAL EXTRACTION.

iDevice physical acquisition in a forensic way presents a challenge for forensic examiners due to the embedded nature of the physical components inside the device. The device uses a solid-state flash memory (NAND) for persistent data storage and does not accommodate external memory cards.

Fortunately, some software applications provide physical memory dump capabilities. A special physical acquisition technique was introduced to allow forensic examiners to obtain a raw disk copy of the flash memory using the DFU boot mode. In this way you can retrieve the “EMF!” and “Dkey” and try a bruteforce attack to the four-digit device pin (or a simple passcode).

IPHONE/IPAD – PHYSICAL EXTRACTION - DFU.

DFU (Device Firmware Upgrade) mode allows all devices to be restored from any state.

Entering DFU Mode:

1. Plug your device into your computer. 2. Turn off the device. 3. Hold the Power button for 3 seconds 4. Hold the Home button without releasing the Power button for 10 seconds 5. Release the Power Button but keep holding the Home button 6. Keep holding the Home button until you are alerted by iTunes saying that it has detected a device in Recovery Mode 7. Make sure the device screen is blank and no logos are present

Exiting DFU Mode: Hold Home and Power Button till the Apple Logo appears.

http://theiphonewiki.com/wiki/index.php?title=DFU_Mode

IPHONE/IPAD – PHYSICAL EXTRACTION – FORENSICS SOFTWARE.

 Zdziarski Method and Tools, only for Law Enforcement (http://www.iosresearch.org)

 Lantern Lite: freeware for Mac.

 Elcomsoft iOS Acquisition Toolkit: commercial for Windows and Mac.

 AccessData Mobile Phone Examiner Plus: commercial for Windows.

 Cellbrite UFED: commercial for Windows.

 iXAM: commercial for Windows.

IPHONE/IPAD – PHYSICAL EXTRACTION – FORENSICS SOFTWARE.

For these device, at the moment the only way for a physical acquisition is a Jailbreak:

• iPhone 4s • iPad2 • iPad3

IPHONE/IPAD – PHYSICAL EXTRACTION - JAILBREAKING.

This process allows the examiner to access and modify the system partition to install the forensic toolkit that is used to image and validate the integrity of the user partition during the device acquisition.

Once installed, the examiner gains direct shell access to the file system, and can perform the traditional acquisition functions starting by calculating the hash value of the entire media partition before transmitting the data, to verify that the partition data hasn’t been altered while in transit. The raw disk image is then acquired and transmitted over a preconfigured wireless connection between the iDevice and the forensic workstation.

INTRODUCTION.

Android is an open source mobile device platform based on the Linux 2.6 kernel and managed by the Open Handset Alliance.

First Model Release: October 2008

http://en.wikipedia.org/wiki/Open_Handset_Alliance

HISTORY.

On November 5, 2007, Andy Rubin announced a more ambitious plan on the official Google blog:

Android is the first truly open and comprehensive platform for mobile devices. It includes an operating system, user-interface and applicationsdall of the software to run a mobile phone, but without the proprietary obstacles that have hindered mobile innovation. We have developed Android in cooperation with the Open Handset Alliance, which consists of more than 30 technology and mobile leaders including Motorola, Qualcomm, HTC and T-Mobile. Through deep partnerships with carriers, device manufacturers, developers, and others, we hope to enable an open ecosystem for the mobile world by creating a standard, open mobile software platform. We think the result will ultimately be a better and faster pace for innovation that will give mobile customers unforeseen applications and capabilities.

http://googleblog.blogspot.it/2007/11/wheres-my-gphone.html

HISTORY.

On November 12, 2007, Google released an early look at the Android software development kit (SDK) to developers.

In August 2008, Google announced the availability of the Android Market where developers could upload their apps for mobile device owners to browse and instal. The initial release did not support paid apps. That feature was added in early 2009. Finally, October 2008 marked both the official release of the Android Open Source Project (AOSP) and the first publicly available Android smartphone T-Mobile G1.

VERSION.

•April 15, 2009: ver. 1.5 (Cupcake). •September 16, 2009: ver. 1.6 (Donut) . •October 5, 2009: ver. 2.0/2.1 (Éclair). •May 20, 2010: ver. 2.2 (Froyo). •December 6, 2010: ver. 2.3 (Gingerbread). •February 2011: ver. 3.0 (Honeycomb). •19 October 2011: ver. 4.0 (Ice Cream Sandwich).

FEATURES.

Android was born from the beginning to be online using cellular networks or wireless networks (Wi-Fi).

•It has the ability to download and install applications from the “Android Market” (now called “Play Store”). This allow to extend the functionality of the device.

•It has the ability for users to store their data on the devices. Most Android devices come with a on-device storage using flash (NAND) memory as well as an external SD card that is portable and intended to store larger amounts of data.

COMPONENTS.

Central Processing Unit (ARM).

Baseband Modem/Radio: The baseband modem and radio are hardware and software systems that provide Android devices a connection to the cellular network instead of occupying the main CPU with these activities.

Memory (Random-Access Memory and NAND Flash): The RAM is used by the system to load and execute the OS, applications and data. RAM is volatile. NAND flash memory is non-volatile, and thus, the data are preserved after the device has been powered off. The NAND flash is used to store the boot loader, OS, and user data.

COMPONENTS.

Global Positioning System: This functionality not only identifies the location of the device using the GPS satellite network but also allows for applications many more interesting uses in the future.

Wireless (Wi-Fi.com and Bluetooth).

Secure Digital Card: Like the on-device NAND flash, SD cards are nonvolatile and use flash technology. The SD card is one obvious design difference between most Android devices and the popular Apple iPhone. The iPhone is designed with 4GB to 64GB of NAND flash on-board and does not provide for SD cards.

COMPONENTS.

Screen: It is the primary interface for user interaction, not only through the visual display but also by responding to the user’s touch. Early iterations included a liquid crystal display and a second layer that detects user input on the screen.

Camera: One interesting development is the use of cameras to read bar codes. Specialized applications leverage the camera to take a picture of a bar code and then analyze the data. It might look up product reviews, determine the best price.

Accelerometer/Gyroscope: Typically, this is used to change the display between landscape and portrait.

COMPONENTS.

Universal Serial Bus: Android devices support several Universal Serial Bus (USB) interfaces that can be accessed from computers. The cables may vary between devices, but in general, the USB interface allows most modern OSs connectivity to the device.

Charge only: the device can be recharged over the USB cable.

Disk interface: portions of the device, including the SD card and other disk interfaces, are presented and accessible as a Mass Storage Device.

Vendor-specific interfaces: these include custom synchronization protocols, emulated CD-read-only memory (ROM) drives for software installs, and specialized connections for sharing the phone’s Internet connection.

Android Debug Bridge (ADB): an interface that provides the user access to a shell prompt on the device.

BOOT PROCESS.

1. Power on: Boot “ROM” code (specific for CPU) execution. Scans until finds the boot media. Copy the boot loader into the RAM.

2. The boot loader: execuded in RAM the “IPL” (Initial program loader) that prepare the RAM for “SPL”. “SPL” (Second program loader) initialize hardware components and locate the Linux Kernel and copies into the RAM. SPL support different boot way.

3. The Linux kernel: read the root file system from the NAND.

4. The init process: as Linux the init script start system and user process.

5. Zygote and Dalvik: each user application run in a “sandbox”. Zygote initialize the enviroment. Dalvik is a virtual machine where the app live in (the sandbox).

6. The system server: run core futures like telephony or network.

7. Boot complete: Broadcast to all applications “ACTION_BOOT_COMPLETED”.

Android OS Architecture.

Android is based on the Linux 2.6 kernel that provides the fundamental software needed to boot and manage both the hardware and Android applications.

After the kernel, a set of libraries are available, which provide core functionality needed by developers and device owners alike. The SQLite library provides one method for structured data storage on Android.

The core libraries are then bundled with a custom Java virtual machine (VM) to provide the Android runtime environment, which is where applications run.

The framework is the primary layer that third-party developers interact with and it provides them abstract access to key resources needed for their application.

Android OS Architecture.

http://en.wikipedia.org/wiki/Android_(operating_system)

Android OS Architecture.

The Dalvik Virtual Machine (sandbox) was developed to create an efficient and secure mobile application environment. To achieve the desired security, each application run on its own Dalvik VM. As such, the Dalvik VM was written so that many VMs could run at once on an Android device. The Dalvik VM provide low- level functions such as access to core libraries and hardware, threat and security management, memory management, and more.

Dalvik VM have a special format called a Dalvik Executable (.dex) file.

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization. http://en.wikipedia.org/wiki/Sandbox_(computer_security)

Android OS Security.

When an application is first installed, Android checks the .apk file to ensure it has a valid digital signature to identify the developer. Anyway the digital certification does not need to be signed by a Trusted Certification Authority. After the .apk file is validated, Android checks the file created by the developer that specifies what access an application needs to the system. After an application has been verified and the user granted the requested permissions, the application can now install on the system.. Each application is assigned a unique Linux user and group ID and runs in its own process and Dalvik VM (SANDBOX). The system creates a specific directory (/data or /data/data) on the device to store the application’s data and only allows that application to access. In addition, the application’s Dalvik VM is run in its own process as the specific user ID. The Application can only access the memory and data within their Dalvik VM.

Android users have the option to allow apps to be installed from non-Market locations and to skip the digital signature check.

Android OS Rooting.

Rooting is a process allowing users of mobile phones, tablet PCs, and other devices running the Android operating system to abtain privileged control (known as "root access") within Android's subsystem. Rooting is often performed with the goal of overcoming limitations that carriers and hardware manufacturers put on some devices, resulting in the ability to alter or replace system applications and settings, run specialized apps that require administrator-level permissions, or perform other operations that are otherwise inaccessible to a normal Android user. Rooting is analogous to jailbreaking devices running the Apple iOS operating system or the Sony PlayStation 3.

http://en.wikipedia.org/wiki/Rooting_(Android_OS)

Android OS Rooting: example of BUG.

http://vulnfactory.org/blog/2011/08/25/rooting-the-droid-3/

Android OS Debug Bridge.

when you connect the Android over USB, you are presented with a menu of four options:

1. Charge phone over USB. 2. Sync data. 3. Mount the device as disk drive. 4. Mobile Broadband.

The default selection is the Charge phone.

Android OS Debug Bridge.

USB interface exposes the Android Debug Bridge (ADB) that allows to comunicate and control an Android device over USB. Once set, the device will run the adb daemon (adbd) in the background and wait for a USB connection. The daemon will run under the non-privileged shell user account to limit the access it has to data.

Android devices that have root access permission enabled and run ADB as root has a complete access to the system.

Android OS Debug Bridge.

The functionality of ADB including:

1. Running shell commands on the device. 2. Installing applications using command line. 3. Forwarding ports between Computers and the device. 4. Copying files and folders to and from the device (no root privilege). 5. Viewing device log files.

Android OS Debug Bridge.

4. Copying files and folders to and from the device (no root privilege).

If ADB doesen’t run as root, you can’t use these commands: • C:\adb push copy file/folder to device. • C:\adb pull copy file/folder from the device. • C:\adb remount remont the “/system” partition on the device read-write.

Note: root access and adb running as root are different. Boot image need to modified to run adb as root. Anyway there’s a workaround to import/export data if the device is “rooted”.

Android OS Debug Bridge: workaround.

4. Copying files and folders to and from the device (no root privilege).

To export data into a NEW sdcard follow these steps (rooted device):

C:\adb shell $ su # cp FileX /sdcard/FileY

Android OS Debug Bridge as root.

To run ADB as root, you must flash the NAND with a custom boot image.

In your custom boot image, follow these step:

1. Find the default.prop plaintext file. 2. Find the line that contains the value ro.secure. 3. Change it in ro.secure=0 (default value: ro.secure=1).

“How to modify a Boot Image?”

http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images

Android OS Recovery Mode.

Recovery mode is an startup mode for Android that was designed to apply updates, format the device, and perform maintenance on the devices. The recovery mode on most devices is very basic, only provides a number of limited functions.

Custom image enable custom recovery partitions that always allow root privileges through the shell. These recovery partitions are typically installed by the user when the device is rooted and provide various functions.

Android OS File System.

There are several File Systems in use on Android, many of which are used to boot and run the system: EXT, FAT32 (vFAT), and YAFFS2.

•EXT (1992) with three additional release: EXT2, EXT3 and EXT4 (/system), /data ,/cache). •FAT32 (vFAT): usually used for SD card (/mnt/sdcard, /mnt/secure/asec, /mnt/emmc). •YAFFS2 (Yet Another Flash File System): fast open-source file system log-structured with error correction.

•tmpfs: file System locate in the temporary RAM disk. •rootfs: is where the kernel mounts the root file system at startup. •devpts: file system used to provide simulated terminal sessions. •sysfs: file system that contains configuration and control files for the device.

Android OS File System.

Mount Point

Android OS File System.

Common Mount Point

Mount Point File System Note / rootfs Read-only. /proc proc System state and statistics. /system YAFFS2 System image (read-only). /data or /data/data YAFFS2/EXT3/EXT4 Apps Data Storage Directory. Setuid not allowed for security reasons. /app-cache tmpfs Temporary cache used by Apps. /cache YAFFS2/EXT3/EXT4 Persistent directory used by Apps and System. /mnt/sdcard vfat sdcard and emmc can be shared by USB MASS STORAGE /mnt/secure/asec (UMS). Only root can mount asec. /mnt/emmc

Android OS File System.

/system

Android OS File System.

/data

Android OS File System.

/cache

Android OS File System.

Carving of “/cache”

File carving is a process in which pecified file types are searched for and extracted across binary data. This techniques require that the data are sequential into the image and this cannot produce the full file if it is fragmented.

The “/cache” partition contains different type of files including Gmail attachment previews, Browser artifact and some downloads from G. PLAY.

Android OS File System.

INTERESTING FILE/FOLDER

PATH CONTENT /data/data/com.*.email/ databases/ DB Email. /data/data/com.google.android.gm /databases/ DB Gmail. /data/data/com.android.providers.calendar/databases/calendar.db DB Calendar. /data/data/com.android.providers.telephony /databases/mmssms.db DB MMS and SMS. /data/data/com.android.providers.telephony/databases/telephony.db DB Call. Log. /data/data/com.android.providers.settings/databases/settings.db General Settings. /data/data/com.google.android.apps/databases/da_destination_history DB Path History. /data/data/com.google.android.apps/files/ Google MAPS activity. /system/etc/backup_target_cvs Backup preferences. /data/data/com.google.android.location/files/ LOCATION SERVICE (if enable).

Android OS Data Structures.

Android team develops five methods for storing data to a device. Persistent data are stored to either the NAND flash, the SD card, or the network.

The five methods are:

1. Shared preferences: XML format. 2. Internal storage: data structure saved in “/data” subdirectory. 3. External storage: data structure saved in SD card. 4. SQLite: single cross-platform file. 5. Network: data structure saved on the web.

http://developer.android.com/guide/topics/data/data-storage.html

Handling the Device.

If you decide to examine the device while it is running, all interactions change the device. However, if the device is powered off and you don’t have the encryption keys (NAND encrypted), then you may permanently lose the ability to recover that data. So, follow these steps:

1. Disable screen locking or pattern locking. 2. Enable “airplane” mode. 3. Enable USB debugging (ADB). 4. Enable “stay awake” mode.

Handling the Device.

Usually custom image enable custom recovery partitions that always allow root privileges through the shell. If a device is already powered off the best option is to boot it into recovery mode to test for USB debugging and root access. If you are lucky you can gain access to the data without booting into normal operational mode.

Handling the Device: bypass Screen Lock.

You can bypass the pass code if you know the Gmail user name and password registered with the device. After a number of failed attempts, you will be presented with a screen that asks if you forgot your pass code. From there, you can enter the Gmail user name and password and you will then be prompted to reset the pass code. This technique require the device on-line.

Handling the Device: prepare the Forensics Workstation.

The first thing you should try if the phone is still powered on, is to connect with the Android Debug Bridge (ADB) over USB. If enable, it provides sufficient access for data extraction. For this reason you should install on the Forensic Workstation the Software Development Kit for Android Device.

http://developer.android.com/sdk/index.html

Handling the Device: test if ADB is running.

With the phone running in normal mode, plug it into the Forensic Workstation and from the command prompt type “adb devices.”

If USB debugging is enabled, the ADB daemon will return the device serial number.

Handling the Device: test if ADB is running as root.

If ADB is running as root you can have access to the all mounted partitions. To test it from the command prompt type: adb shell "ps | grep adbd"

If ADB daemon run as root will return the “root” user. In this case it run with “shell” privilege.

Handling the Device: export data through ADB.

You can export all mounted devices is ADB is running as root. If not you get “0 files pulled”.

Anyway, without root access, you can export “/sdcard” and some directory from “/system”:

Handling the Device: export data by commercial software.

Many of the commercial mobile forensic software vendors now support Android (with ADB enable).

• Oxygen Forensics. • Cellebrite UFED. • Compelson MOBILedit!. • EnCase Neutrino. • Micro Systemation XRY. • Paraben Device Seizure.

At the moment all vendor support logical acquisition (by query Content Providers) and for some model they support physical acquisition. Anyway, the only way to do a phisycal acquisition is to have a “root access” to the device.

Content Providers.

Content providers manage access to a structured set of data. They encapsulate the data, and provide mechanisms for defining data security. Content providers are the standard interface that connects data in one process with code running in another process. http://developer.android.com/guide/topics/providers/content-providers.html

The Android framework provide a way in which apps can share data (Content Providers). A developer can include support for Content Providers within their application, which allows them to share data with other apps. The developer controls what data is exposed to other apps.

Content Providers.

Some examples of Content Providers are:

• SMS/MMS • Contacts • Calendar • Facebook • Gmail

There are more of 40 Content providers.

How to gain root access: “Recovery Mode”.

Often users install a custom ROM which usually enables root access to the device through a modified recovery mode. This simplifies the process used to install the custom ROM. When the phone is boot in recovery mode, the pass code is circumvented and the user data partitions can be mounted read-only, thus preventing changes to that area.

How to gain root access: “Recovery Mode”.

Follow the steps in this sequence:

1. Connect the phone to the Forensic Workstation. 2. Switch on the phone in “Recovery Mode”. 3. Select “[ADB Daemon] Start”. 4. Wait 30 sec before type “adb devices”. 5. “adb shell”

Phisycal extraction in “Recovery Mode”.

To extract data from your Android device in a “forensics” way you should start in “recovery mode” and gain root access. Check if the sdcard is mounted (don’t forget tu pull a new sdcard in the phone). If no sdcard is mounted you should mount it by:

# mount -t vfat /dev/block/mmcblk0p1 /mnt/sdcard2

Then acquire the partitions in the forensic way:

# dd if=/dev/block/userdata of=/mnt/sdcard2/data.dd

Phisycal extraction in “Recovery Mode”.

http://twitter.com/lpcforensic http://www.studiopiccin.it [email protected]

Tanzania 2008 (Ismani - Iringa)