Informatica forense. Mobile Forensics - Approfondimenti tecnici e particolarità degli smartphone

Transcription

1 Informatica forense Mobile Forensics - Approfondimenti tecnici e particolarità degli smartphone A cura di Matteo Brunati Udine, 11 maggio 2015

2 Me, Myself & I IT Security consultant Design & development of IT Security solutions IT Security consultancy: EH, Computer Forensics, Crypto Currencies, etc. Business Innovation R&D Seminars, courses Certifications: ISACA CISA (almost...) Pubblications: lcfe ( ), OISSG ISSAF (<2006), Bachelor Thesis (ICME'10) Scout and Judo, from time to time... ;) 2

3 Digital Evidence: Examples s Documents Documents meta-data: EXIF, documents author/date/..., PDFs informations,... Internet browser history SIM card Memory: RAM, HDD, SSD,... GPS tracks Media files (video, audio, images) Aircrafts Black Box... 6

4 Forensics Acquisition Identify the device to acquire: photos, hardware infos (IMEI, brand, serial #, etc.) Try to leave the device in the power state it's found If turned off: 1) Remove battery 2) Remove SIM card 3) Remove SD Card If turned on: Isolate it Phone isolation: airplane mode (modify phone state), faraday cage, tinfoil, jammer Use Write Blocker whenever possible: 1) Hardware 2) Software Acquire device date and time 10

5 Hardware Tools: Faraday Bag/Box 11

6 Hardware Tools: Write Blocker 12

7 Hardware Tools: Jammer 13

8 Mobile Device Components Device informations: Hardware SIM card: SIM cloning, SIM Acquisition Flash card: custom hardware/software Logic File system Physical Mass storage: usual DF techniques Cloud: depends... 14

9 Software Tools: Proprietary Cellbrite UFED Micro Systemation XRY Oxygen Forensics MOBILEdit ViaForensics: Android, soon ios Katana Forensics Lantern: ios 15

10 Software Tools: Open Source Logical acquisition (your Linux machine, Santoku) ios: libidevicebackup (for enc. bkps ElcomSoft Password Recovery Bundle) Android: adb, AFLogical OSE External mass storage: dd, dcfldd, Guymager Physical acquisition: Android Forensics, Physical Techniques RIP 16

11 Software Tools: Open Source (cont'd) There is no does everything tool Image analysis: ios: libidevicebackup, ipba2 Extrenal mass storage: Autopsy Carving: foremost, scalpel, ks, Photorec, Bulk Extractor, etc. Apps: skype, whatsapp (WhatsappXstract, Backup Text for Whats), viber ( Backup Text for Viber), AFLogical OSE 17

12 Carving Recovering data from disk the raw way ;) Doesn't care about partition types Doesn't care about deleted/existing files We just need that the file has been saved at least once on the file system Search for the file magic number [1], [2] Recover as much as possible of the file remainings 18

13 SSD nightmare The SSD physical and controller chips properties makes very hard and sometimes unpredictable to retrieve deleted data. Wear levelling TRIM But it is not always the case, it depends on :) Operating System type and version SSD drive File system type... 19

14 Android examples: broken screen How to access and Android devices with a broken screen? Emulating user inputs :) $ adb shell input keyevent 26 # power $ adb shell input text <PIN> && adb shell input keyevent 66 # input PIN and hit enter $ $ $ $ $ adb adb adb adb adb shell shell shell shell shell input input input input input keyevent keyevent keyevent keyevent keyevent # # # # # back settings down down enter ADB Shell Input Events, KeyEvent 20

15 Android examples: unlock device Android <= Original work: kosborn/p2p-adb GUI: x942/p2pgui raider-android-backup-tool by c0rnholio 21

16 Android examples: AFLogical OSE??? TextSecure ;) 22

17 Android examples: Whatsapp 23

18 Android/iOS example: Telegram (1/2) Photos shot from secure chat Android: saved system photo gallery Recovered with carving All chat messages Stored in clear text on the SQLite DB Retrievable from memory dump Deleted messages: Android: only from RAM dump ios: still in SQLite DB ios: Telegram Investigation Android: Telegram App Store Secret-Chat Messages in Plain-Text Database 24

19 Android/iOS example: Telegram (2/2) 25

20 Anti-forensics: Android Network traffic: Orbot + Orweb/Firefox Add-on, VPN SMS/Messages: TextSecure, ChatSecure, Telegram(*) Phone calls: RedPhone, Ostel Steganography: Pixelknot Cleaning: CCleaner... (*) Only the network traffic is cyphered 26

21 27

22 We are hiring 28