Open Source Mobile Device Forensics Heather Mahalik © 2014, Basis Technology 1 Device Acquisition iOS Devices Android Devices • Zdziarski Methods • viaLogical • Boot Rom • ADB Backup Vulnerability Exploits • OSAF Toolkit – Custom Ramdisk via • Santoku SSH – The iPhone Data • DD Protection Tools – Not supported for all devices • iTunes • JTAG/Chip-off © 2014, Basis Technology 2 Considerations • How old is the device? • Is the device locked? • Is the device damaged? • Are you Law Enforcement? © 2014, Basis Technology 3 Android Memory Capture • LiME (Linux Memory Extractor) – First tool to support full memory captures of Android smartphones! – TCP dump or saved to SD card – Uses ADB © 2014, Basis Technology 4 Analytical Tools…to Name a Few iOS Devices Android Devices • iPhone Backup Analyzer • Autopsy • iExplorer – Android Module • iBackupBot • WhatsApp Extract • Scalpel – wa.db and msgstore.db • SQLite Browser • Scalpel • Plist Editor • SQLite Browser • WhatsApp Extract • Hex Editor – Contacts.sqlite and • Anything capable of mounting ChatStorage.sqlite EXT • Manual examination • FTK Imager • Customized scripts • Customized scripts • Manual examination © 2014, Basis Technology 5 Reality Check! • Commercial tools are expensive – They still miss data – They don’t parse third party applications completely – They omit relevant databases when extracting data – They don’t support all devices • Open Source tools – See above! © 2014, Basis Technology 6 Example – iOS Examination /private/var/mobile/library/Spotlight/com.apple.mobilesms/ – smssearchindex.sqlite • Provides SMS message data – Active and deleted messages – Should be compared to sms.db – May show traces of attachments (metadata) *Not commonly parsed by any tool! © 2014, Basis Technology 7 Autopsy • GUI built on The Sleuth Kit • Next version (v3.1.1) will include Android module • Customizable • Complete analytical platform • Android dumps can be loaded as normal disk images or file folders © 2014, Basis Technology 8 Android Examination © 2014, Basis Technology 9 Examining Contacts • Parsed from Contacts2.db file – Raw_contacts and ABPerson © 2014, Basis Technology 10 Examining the Raw Contacts (1) © 2014, Basis Technology 11 Examining the Raw Contacts (2) © 2014, Basis Technology 12 Parsing Messages and Chats • Parses messages and chats from SMS, MMS and some third party applications © 2014, Basis Technology 13 Encoding Built into Autopsy • Encryption vs. Encoding • Base64 decoder built into Autopsy Android module © 2014, Basis Technology 14 Geolocation Support • Google Maps, Browser, Cache and EXIF location parsing © 2014, Basis Technology 15 Geolocation Reporting © 2014, Basis Technology 16 Examining Multimedia Files • EXIF Parser • Graphics and Videos © 2014, Basis Technology 17 Recovering Deleted SQLite Data • Active files shown in viewer • Deleted must be examined/recovered in Hex © 2014, Basis Technology 18 Custom Scripts • Mari DeGrazia’s SQLite Parser © 2014, Basis Technology 19 References, Sources and Suggested Reading • http://www.zdziarski.com/blog/wp- content/uploads/2013/05/iOS-Forensic- Investigative-Methods.pdf • www.az4n6.blogspot.com • https://viaforensics.com/blog/ • http://www.sleuthkit.org/ • Practical Mobile Forensics –Bommisetty, Mahalik, Tamma • www.smarterforensics.com • https://code.google.com/p/lime-forensics/ © 2014, Basis Technology 20 Questions Heather Mahalik Basis Technology www.basistech.com [email protected] Twitter: @heathermahalik © 2014, Basis Technology 21 .