Informatica forense. Mobile Forensics - Approfondimenti tecnici e particolarità degli smartphone

Similar documents
ACQUISITION AND ANALYSIS OF IOS DEVICES MATTIA EPIFANI SANS FORENSICS PRAGUE PRAGUE, 10 OCTOBER 2013

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes

Mobile security, forensics & malware analysis with Santoku Linux. * Copyright 2013 viaforensics, LLC. Proprietary Information.

Mobile memory dumps, MSAB and MPE+ Data collection Information recovery Analysis and interpretation of results

A Survey on Mobile Forensic for Android Smartphones

Post-Mortem Memory Analysis of Cold-Booted Android Devices

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

Cellebrite UFED Physical Pro Cell Phone Extraction Guide

RECOVERING DELETED DATA FROM FAT PARTITIONS WITHIN MOBILE PHONE HANDSETS USING TRADITIONAL IMAGING TECHNIQUES

The Incident Response Playbook for Android and ios

Mobile Devices in Electronic Discovery

Computer Forensics. Securing and Analysing Digital Information

This guide describes features that are common to most models. Some features may not be available on your tablet.

Full version is >>> HERE <<<

Open Source Data Recovery

Table of Contents. Introduction to MSAB Training Department Training Services Overview XRY Certification training...

Retrieving Data from Apple ios Devices Using XRY

Case Study: Mobile Device Forensics in Texting and Driving Cases

NEW RESEARCH DIRECTIONS IN THE AREA OF SMART PHONE FORENSIC ANALYSIS

Full version is >>> HERE <<<

Smartphone Forensics Analysis: A Case Study

Into The Droid. Gaining Access to Android User Data DEF CON 20

Computer Forensic Tools. Stefan Hager

Discovering Computers

Additional details >>> HERE <<<

NOKIA E52 PHONE TRACKING SOFTWARE

NIST Mobile Forensics Workshop and Webcast. Mobile Device Forensics: A Z

Cell Phone Forensics For Legal Professionals

This guide describes features that are common to most models. Some features may not be available on your tablet.

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Acronis True Image 2015 REVIEWERS GUIDE

This guide describes features that are common to most models. Some features may not be available on your tablet.

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Blackberry Forensics. Shafik G. Punja Cindy Murphy. SANS DFIR Summit 2014 Austin TX. June-9-14 Copyright QuByte Logic Ltd

System i and System p. Customer service, support, and troubleshooting

Uncovering the Covered Tracks: Finding What s Left Behind JAD SALIBA FOUNDER & CTO

Norton Mobile Privacy Notice

Key & Data Storage on Mobile Devices

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Information Technologies and Fraud

A Short Introduction to Digital and File System Forensics

Mobile App User's Guide

Hands-On How-To Computer Forensics Training

Android Forensics: Simplifying Cell Phone Examinations

More details >>> HERE <<<

HiDrive Intelligent online storage for private and business users.

MFR IT Technical Guides

Full version is >>> HERE <<<

Case Study: Smart Phone Deleted Data Recovery

Example of Standard API

EnCase v7 Essential Training. Sherif Eldeeb

imail Frequently Asked Questions (FAQs) 27 July 2015 Version 2.2

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Full version is >>> HERE <<<

NAS 242 Using AiMaster on Your Mobile Devices

2 Enterprise. CounThru TM. Managed Print Solution. CounThru TM 2 Enterprise Managed Print Solution WHITE PAPER. Introduction. What is CounThru TM

Design and Implementation of Forensic System in Android Smart Phone

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

ER-260. SmartPhone Recovery Pro TM. User Guide. Rev Android Data Recovery Software for Windows OS

Step by Step Guide for Upgrading Your NetCamPro Camera to Cloud Mode Using an Android Device

Formal Education: Professional Qualifications: Professional Awards: Membership/Networking:

Additional details >>> HERE <<<

introducing COMPUTER ANTI FORENSIC TECHNIQUES

Android Physical Extraction - FAQ

Developing Process for Mobile Device Forensics

Paraben s P2C 4.1. Release Notes

Industrial Flash Storage Trends in Software and Security

Hardware Information Managing your server, adapters, and devices ESCALA POWER5 REFERENCE 86 A1 00EW 00

Additional information >>> HERE <<<

Advanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference /03/2012

Full version is >>> HERE <<<

CDR500 Spy Recovery Pro

Kaseya 2. User Guide. Version 7.0. English

Computer Forensics using Open Source Tools

WHITEPAPER. One Cloud For All Your Critical Business Applications.

Names of Parts. English. Mic. Record Button. Status Indicator Micro SD Card Slot Speaker Micro USB Port Strap Hook

Android Security for Enterprise App Developers Jon Preedy

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Guest Quick Guide PC and Mac Users Updated to version March 2015

White Paper. Freeance Mobile for Cityworks

2 Getting started User interface language Protecting your system...15

How To Do Digital Forensics

User Manual 9.7 Tablet Android 4.0

Digital Photo Bank / Portable HDD Pan Ocean E350 User Manual

APP USER MANUAL. Trackunit Virtual Hardware. Status / Tracking / Map

Names of Parts. English 1. Mic. Record Button. Status Indicator Micro SD Card Slot Speaker Micro USB Port Strap Hook

ELCE Secure Embedded Linux Product (A Success Story)

Università Degli Studi di Parma. Distributed Systems Group. Android Development. Lecture 1 Android SDK & Development Environment. Marco Picone

Forensic analysis of iphone backups

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

COS 318: Operating Systems

Honor T1 8.0 FAQ. Issue 01. Date 06/30

Transcription:

Informatica forense Mobile Forensics - Approfondimenti tecnici e particolarità degli smartphone A cura di Matteo Brunati Udine, 11 maggio 2015

Me, Myself & I IT Security consultant Design & development of IT Security solutions IT Security consultancy: EH, Computer Forensics, Crypto Currencies, etc. Business Innovation R&D Seminars, courses Certifications: ISACA CISA (almost...) Pubblications: lcfe (2001-2004), OISSG ISSAF (<2006), Bachelor Thesis (ICME'10) Scout and Judo, from time to time... ;) 2

Digital Evidence: Examples E-mails Documents Documents meta-data: EXIF, documents author/date/..., PDFs informations,... Internet browser history SIM card Memory: RAM, HDD, SSD,... GPS tracks Media files (video, audio, images) Aircrafts Black Box... 6

Forensics Acquisition Identify the device to acquire: photos, hardware infos (IMEI, brand, serial #, etc.) Try to leave the device in the power state it's found If turned off: 1) Remove battery 2) Remove SIM card 3) Remove SD Card If turned on: Isolate it Phone isolation: airplane mode (modify phone state), faraday cage, tinfoil, jammer Use Write Blocker whenever possible: 1) Hardware 2) Software Acquire device date and time 10

Hardware Tools: Faraday Bag/Box 11

Hardware Tools: Write Blocker 12

Hardware Tools: Jammer 13

Mobile Device Components Device informations: Hardware SIM card: SIM cloning, SIM Acquisition Flash card: custom hardware/software Logic File system Physical Mass storage: usual DF techniques Cloud: depends... 14

Software Tools: Proprietary Cellbrite UFED Micro Systemation XRY Oxygen Forensics MOBILEdit ViaForensics: Android, soon ios Katana Forensics Lantern: ios 15

Software Tools: Open Source Logical acquisition (your Linux machine, Santoku) ios: libidevicebackup (for enc. bkps ElcomSoft Password Recovery Bundle) Android: adb, AFLogical OSE External mass storage: dd, dcfldd, Guymager Physical acquisition: Android Forensics, Physical Techniques RIP 16

Software Tools: Open Source (cont'd) There is no does everything tool Image analysis: ios: libidevicebackup, ipba2 Extrenal mass storage: Autopsy Carving: foremost, scalpel, ks, Photorec, Bulk Extractor, etc. Apps: skype, whatsapp (WhatsappXstract, Backup Text for Whats), viber ( Backup Text for Viber), AFLogical OSE 17

Carving Recovering data from disk the raw way ;) Doesn't care about partition types Doesn't care about deleted/existing files We just need that the file has been saved at least once on the file system Search for the file magic number [1], [2] Recover as much as possible of the file remainings 18

SSD nightmare The SSD physical and controller chips properties makes very hard and sometimes unpredictable to retrieve deleted data. Wear levelling TRIM But it is not always the case, it depends on :) Operating System type and version SSD drive File system type... 19

Android examples: broken screen How to access and Android devices with a broken screen? Emulating user inputs :) $ adb shell input keyevent 26 # power $ adb shell input text <PIN> && adb shell input keyevent 66 # input PIN and hit enter $ $ $ $ $ adb adb adb adb adb shell shell shell shell shell input input input input input keyevent keyevent keyevent keyevent keyevent 4 82 20 20 66 # # # # # back settings down down enter ADB Shell Input Events, KeyEvent 20

Android examples: unlock device Android <= 4.2.1 Original work: kosborn/p2p-adb GUI: x942/p2pgui raider-android-backup-tool by c0rnholio 21

Android examples: AFLogical OSE??? TextSecure ;) 22

Android examples: Whatsapp 23

Android/iOS example: Telegram (1/2) Photos shot from secure chat Android: saved system photo gallery Recovered with carving All chat messages Stored in clear text on the SQLite DB Retrievable from memory dump Deleted messages: Android: only from RAM dump ios: still in SQLite DB ios: Telegram Investigation Android: Telegram App Store Secret-Chat Messages in Plain-Text Database 24

Android/iOS example: Telegram (2/2) 25

Anti-forensics: Android Network traffic: Orbot + Orweb/Firefox Add-on, VPN SMS/Messages: TextSecure, ChatSecure, Telegram(*) Phone calls: RedPhone, Ostel Steganography: Pixelknot Cleaning: CCleaner... (*) Only the network traffic is cyphered 26

27

We are hiring jobs@cybrain.it 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information