Pining for data Acquiring and Analysing a PinePhone (Manjaro) Kathryn Hedley @4enzikat0r Why am I here? • To learn about PinePhones • How to acquire data from a device • What data is stored on a PinePhone • Where some data of interest is stored Wait, what’s a PinePhone? PinePhone 101 • Open source smartphone • Intended to deliver functional Linux phone to users & create a market for Linux-based smartphones • Supports existing Linux phone projects (https://wiki.pine64.org/wiki/PinePhone_Software_Releases): • Ubuntu Touch • Manjaro • Mobian • Fedora • Many more! • https://www.pine64.org/pinephone/ Meet my PinePhone – Piney McPinephone Purchased directly from https://pine64.com/ Cracking passwords for fun • root user password: root • manjaro user password: 123456 • (both users have admin rights & can sudo) …or just Google it! https://wiki.pine64.org/wiki/PinePhone What happens when you connect the device via USB? Hard route – UART - flick a switch & buy a cable Default state: UART enabled: UART cable: https://pine64.com/product/pinebook-pinephone-pinetab-serial-console Easy route – Terminal, dd & SD card • Open Terminal • Default pin code: 123456 • Can’t change in Settings • (Can change in Terminal with passwd) • Mount SD card • sudo mkdir /mnt/sdcard • sudo mount /dev/mmcblk0p1 /mnt/sdcard • Image device • sudo dd if=/dev/mmcblk2 of=/mnt/sdcard/mmcblk2.dd • Unmount SD card • sudo umount /mnt/sdcard Data commonly found on Linux systems • Operating system information • Device identifiers • Device suspend & reboot events • USB cable connection events not found • Bash history • Recent activity • Network connections OS version information • \etc\lsb-release Device ID • \etc\machine-id Device suspend events • \var\log\pp-suspend.log • NOT updated during testing Device boot, reboot, login events • \var\log\wtmp (btmp & lastlog are empty) • Timestamps are empty & not properly parsed by last command Bash history • \home\manjaro\.bash_history NOTE: only updated on device shutdown/reboot Recent activity • \home\manjaro\.local\share\rece ntly-used.xbel • SOME recent events: • Image file viewed: IMG20210405202000.jpg (double click) – 5 April 2021 19:22 UTC+2 • Photo added to contact – 5 April 2021 21:00 UTC+1 • Text file created using gedit application – 5 April 2021 22:22 UTC+1 • Timestamps appear to be in device local time (very few examples to base this on!) • Not consistently updated WiFi connections • \etc\NetworkManager\system-connections\ • One file per remembered SSID - <SSID>.nmconnection • Contains: SSID, UUID, security info, password • ‘Forgotten’ network nmconnection files deleted (can be carved using ‘[connection]’ header) Phone-specific data • Software - Installed applications • Calls - Call logs • Chatty - SMS messages (MMS not possible on my PinePhone) • Telegram Messenger • Contacts • Megapixels – Photographs taken with the camera • Calendar entries • To Do - Task lists • Text Editor - Documents • Firefox - Browser history • Map data Installed applications (Software) • \var\log\pacman.log • Includes prerequisites, so quite noisy! Call Log (calls) • \home\manjaro\.local\share\calls\records.db • Inbound field: 0 = outgoing call, 1 = incoming call SMS Messages (chatty) – SQLite database • \home\manjaro\.purple\chatty\db\chatty-history.db • Timestamps are Unix numeric values • Direction: -1 = outgoing (sent), 1 = incoming (received) SMS Messages (chatty) – HTML files • \home\manjaro\.purple\logs\mm-sms\sms • One subfolder per sender/recipient phone number, one HTML file per date • Includes sent or received SMS message SMS Messages (chatty) – XML list of SMS contacts • \home\manjaro\.purple\blist.xml • Lists all senders/recipients for which you have communicated via SMS • ‘name’ matches that shown to the user i.e. phone number or organization name • ‘alias’ only present for device contacts • 'chatty-unknown-contact’ only present for contacts not in device contacts Telegram • \home\manjaro\.local\share\TelegramDesktop Contacts • \home\manjaro\.local\share\evolution\addressbook\system\contacts.db • folder_id table • uid = unique ID – links to folder_id_phone_list table (phone number) & folder_id_email_list (email address) • Rev = last modified date Contact photos • \home\manjaro\.local\share\evolution\addressbook\system\photos\ • PNG files named for contact’s UID - <UID>_photo-file0.image%2Fpng Photographs taken with the camera (Megapixels) • \home\manjaro\Pictures\ Photograph thumbnails… maybe! • \home\manjaro\.cache\thumbnails\ • Only one thumbnail created here during testing Calendar entries • \home\manjaro\.local\share\evolution\calendar\ system\calendar.ics • vCalendar file, starts ‘BEGIN:VCALENDAR’ • Each event starts BEGIN: VEVENT • Each event ends END: VEVENT • UID = unique event ID • DTSTAMP = CREATED = event creation date/time • (so far!) • DTSTART = event start • DTEND = event end • SUMMARY = event name • LAST-MODIFIED – event last modified date/time Tasklists (To Do) • \home\manjaro\.config\evolution\sources\<40-char hex string>.source • One per ‘List’, includes list name (DisplayName) but not individual tasks Tasklist tasks (To Do) • \home\manjaro\.local\share\evolution\tasks\<same 40-char hex string>\tasks.ics • vCalendar file, starts ‘BEGIN:VCALENDAR’ Tasklist tasks (To Do) Each individual task in this file has the structure: • Date/time values appear to be in local time BEGIN:VTODO to the device (UTC+2 in this case) UID:618e6a9d87ba9708889751c729490e705f440d6c • (again, only a small amount of testing done DTSTAMP:20210405T191820Z so far) SUMMARY:tasky mctaskface 1 CREATED:20210405T191821Z • Summary is the task name within the LAST-MODIFIED:20210405T191821Z tasklist END:VTODO Documents created using Text Editor • \home\manjaro\Documents\ Firefox (desktop version) history • \home\manjaro\.mozilla\firefox\firefox.default\places.sqlite • \home\manjaro\.mozilla\firefox\tk0topo4.default-release\places.sqlite Firefox cookies • \home\manjaro\.mozilla\firefox\firefox.default\cookies.sqlite • \home\manjaro\.mozilla\firefox\tk0topo4.default-release\cookies.sqlite Firefox cache • \home\manjaro\.mozilla\firefox\firefox.default\cache2\ • No cache2 folder in \home\manjaro\.mozilla\firefox\tk0topo4.default-release\ Firefox search history • \home\manjaro\.mozilla\firefox\firefox.default\formhistory.sqlite • \home\manjaro\.mozilla\firefox\tk0topo4.default-release\formhistory.sqlite Map searches • \home\manjaro\.local\share\maps-places.json • “name” – search term • GPS co-ordinates, altitude, date/time search conducted (UNIX numeric) Map tiles • \home\manjaro\.cache\champlain\mapbox.streets-v11\ Future stuff to think about • Geary (email app) wouldn’t open during testing • Suspect data would be stored in \home\manjaro\.local\share\evolution\mail • Unconfirmed • Other Linux variants – look at re-flashing device & doing the same evaluation process Cheatsheet https://www.khyrenz.com/blog/pinephone-forensics/ …so you don’t actually need to remember anything I just said! .