Uncovering the Covered Tracks: Finding What s Left Behind JAD SALIBA FOUNDER & CTO
Background Teenage geek - IT/Software industry Police officer for 7 years Worked in Tech Crime Unit Started JADsoftware (now Magnet Forensics) as a part-time side project now a team of developers
Overview Recovering artifacts from multiple devices: PCs: Mobile: Skype Facebook Google Maps Kik Messenger Facebook Snapchat Chromebooks: Getting to unencrypted data Using timelines to find out what happened Tools that can help
PC Artifacts
Skype Voice over IP service (with video and text chat options) Started in 2003 Over 633 million registered users 65 million people sign in to Skype every day 700 million minutes spent in Skype-to-Skype calls every day Microsoft has retired Windows Live Messenger in favor of its Skype service, although Messenger will continue in mainland China. Microsoft began the transition for all users on April 8, 2013.
Skype
Skype
Skype chatsync
IP Addresses
Skype main.db file SQLite database Contains majority of interesting data Account info, Calls, Contacts, Messages, SMS messages, Video session info, Voicemail info
Skype
Skype ( POSTED_TEXT )
Skype ( Sent )
Skype Sender username / display name
Skype Date/time (Unix time, in UTC)
Skype Voicemails require a premium account Only get saved to this folder after being played Filename can be found in the Voicemails table in the main.db file - filename contains the date/time Audio is in a proprietary Skype format BUT there is a way!
Facebook Leading social networking site Started in 2004 Over 950 million Facebook users worldwide (Source: Facebook) 500 million people log onto Facebook daily (Source: The Social Skinny 2012) There are 83 million fake profiles. (Source: CNN) Photo uploads total 300 million per day (Source: Gizmodo)
Facebook Chat Not like the good o l days Still left behind, but mainly in live RAM, pagefile, hibernation file Multiple formats Live chat and messages essentially the same
Facebook Chat {\"msg\":{\"text\":\"lol i love facebook, it's so awesome. chatting is fun!!\"},\"from\":1000000555,\" to\":1100000066,\"time\":1257 370809956,\"type\":\"msg\"}
More chat: {"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me ssages\/read\/?tid=mid.1368112514305\u00253ad61a480cfa3 a140d91","author_fbid":100004396603890,"author_name": "Wendy Manford","thread_name": Bourne","snippet":"Hey have you seen the new...","message":"hey have you seen the new Bourne movie?","time":"just now","image":{" html": "\u003cimg src=\"https:\/\/fbcdn-profilea.akamaihd.net\/hprofile-akash1\/t5\/s43x43\/211578_100004396603890_405447609_q.j pg\" alt=\ Wendy Manford\" class=\"img profpic\" height=\"43\" width=\"43\" \/>
Wall post: fbid":"646173788763494","legacyid":"646173788763 494","body":{"text":"can see y dem would a call afta u...","ranges":[],"aggregatedranges":[],"hastranslat ablecontent":true},"author":"100001790397816","ften tidentifier":"646151518765721","likecount":0,"hasvie werliked":false,"canremove":false,"canreport":true,"ca nedit":false,"source":1,"istranslatable":false,"timesta mp":{"time":1396761880,"text":"april 6 at 2:24am"
Facebook Decoding photo URLs Recovered photo view URL: https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater
Facebook Decoding photo URLs https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater Facebook Photo ID is "201526933901245715"
Facebook Decoding photo URLs https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater Facebook Album ID is "10150672801465915"
Facebook Decoding photo URLs https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater Photo belongs to user ID "1221785571"
Facebook Decoding photo URLs https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater Now what?
Facebook Decoding photo URLs https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater We can use the Facebook Graph API to learn more about this user.
Facebook Decoding photo URLs https: //www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.4 48027.507140714.552175374.1221785571&type=1& theater We ll take the user ID above (bolded) and put it in to the below URL (no need to login to Facebook): http://graph.facebook.com/1221785571
Facebook Decoding photo URLs
Another photo URL: {"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me ssages\/read\/?tid=mid.1368112514305\u00253ad61a480cfa3 a140d91","author_fbid":100004396603890,"author_name": "Wendy Manford","thread_name": Bourne","snippet":"Hey have you seen the new...","message":"hey have you seen the new Bourne movie?","time":"just now","image":{" html": "\u003cimg src=\"https:\/\/fbcdn-profilea.akamaihd.net\/hprofile-akash1\/t5\/s43x43\/211578_100004396603890_405447609_q. jpg\" alt=\ Wendy Manford\" class=\"img profpic\" height=\"43\" width=\"43\" \/>
Quick Facebook URL Demo
Google Maps Started in 2004 Over 1,162,460 sites use Google Maps Overtook MapQuest in terms of traffic in 2009 Google Maps Navigation, included on Android handsets, has guided users 12 billion miles a year 200 million users on Google Maps for Mobile Cases involving runaway youths, kidnapping, luring, homicide Jo Yates homicide - Avon and Somerset Constabulary, Scott Eggins
Google Maps Temporary Internet Files RAM captures pagefile.sys / hiberfil.sys
Google Maps Uses a tile system to display maps Each tile is 256x256 pixels Filename in Temporary Internet Files contains x, y, and z coordinates Coordinates are based on a world map x, y requires the z value (zoom) Examples: lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=galile o[1].png &x=9054&y=11982&z=15.png
Google Maps
Google Maps Tiles can be downloaded: http://mt.google.com/vt/&x=xxx&y=xxx&z=xxx
Google Maps Tile coordinates can be converted to Longitude, Latitude: function tile2long(x,z) { } return (x/math.pow(2,z)*360-180); function tile2lat(y,z) { } var n=math.pi-2*math.pi*y/math.pow(2,z); return (180/Math.PI*Math.atan(0.5*(Math.exp(n)- Math.exp(-n))));
Google Maps http://www.darrinward.com/lat-long/
New Google Maps Newer version of Google Maps launched in March 2014 Tile filenames and URLs are different now (thanks Google!) It s not pretty: pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m 8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!2 0m1!1b1[1].png
New Google Maps The new URLs: https://www.google.com/maps/@43.7242262,-79.4051719,12z https://www.google.com/maps/place/cambridge,+on/@43.4022995,- 80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x503 7b28c7231d70 https://www.google.com/maps/dir/ayr,+on,+canada/123+gunn+ave,+c ambridge,+on+n3c+2z6,+canada/@43.3588082,- 80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d94 85d199:0x581a671dca1a1705!2m2!1d- 80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd 46477f986!2m2!1d-80.2990956!2d43.4253036
New Google Maps The new tiles: Sample filename: pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8! 2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m 1!1b1[1].png Another sample, slightly different: pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105!12m1!1e47!4e0[1].png
Quick Google Maps Demo
Mobile Artifacts
Facebook Focusing on chat and geolocation data stored On Android, files are located in the following folder on the data partition: com.facebook.katana File we re interested in is named threads_db2 SQLite database
Main folder
The databases folder
threads_db2 main.messages
threads_db2 main.messages
Kik Messenger Again, focusing on chat but there is potentially a lot of great data here Files are located in the following folder on the data partition: kik.android File we re interested in is named kikdatabase.db SQLite database (surprise!)
Main folder
The databases folder
kikdatabase.db main.messagestable
Snapchat Photo messaging app More than 100 million users along with more than 350 million snaps sent per day Users can take photos, record videos, add text and drawings, and send them to a controlled list of recipients Sent photographs and videos are known as "Snaps Users set a time limit for how long recipients can view their Snaps (1 10 seconds) After time expires, the Snap is deleted Some data can still be recovered!
Snapchat data folder
Google Chrome OS (Chromium OS)
Google Chrome OS Launched on June 15 th, 2011 Linux kernel-based operating system designed by Google Works primarily with web applications Aimed at users who spend most of their computer time on the web Almost a pure web thin client OS, cloud based, cloud reliant Chromium is the open source project, Chrome OS is the commercial version only on specific hardware from Google s partners
Google Chrome OS Encryption / Security User data is encrypted on a separate partition Web apps are sandboxed Verified boot system files are hashed and protected No root/shell access unless in Developer Mode
Google Chrome OS So what can we do? Need user login/password Screenshots of web history Copy out files (non-traditional, not forensically sound ) Developer Mode
Google Chrome OS So what can we do? Need user login/password Screenshots of web history Copy out files (non-traditional, not forensically sound ) Developer Mode
Google Chrome OS Getting shell access Open browser, press Ctrl+Alt+T Type shell and press ENTER We don t have shell access outside of Developer Mode
Google Chrome OS Getting into Developer Mode Need to find method specific to your Chromebook: http://www.chromium.org/chromium-os/developerinformation-for-chrome-os-devices For my HP Chromebook, hold down the Esc and Refresh key and poke the power button
Now, press Ctrl-D
This will take a few minutes then we ll start fresh
Google Chrome OS Now we have shell access
Familiar looking files?
Familiar looking files?
Some signs of encryption
USB mount point
Copying out the user home directory
Creating an image List the partitions
dd if=/dev/mmcblk0p1 of=/media/removable/usb\ Drive /chromebook.dd bs=4096 conv=notrunc,noerror,sync
Timeline Demo
Questions? Thanks for your time! jad@magnetforensics.com www.magnetforensics.com