how the Police investigates

your Device ?

2015.06.04 Droidcon Berlin, MARIUS MAILAT

Android forensics

Who is Marius?

CTO - APPsrise->winner of best of mobile award 20141

2

3

4

since 2015 Google Developer Expert - android

trained over 500 developerS on android topics

FOUNDER of ANDROID DEVELOPER COMMUNITY - ANDROIDER

Agenda

Agenda

MOTIVATION, why this crazy topic?1

2

3

4

ANDROID INTERNAL PLATFORM.

ANDROID FORENSICS - HOW TO extract DATA.

ANDROID ANTi-forensics - How to protect your data.

Why this

CRAZYtopic?

I STILL CODE ANDROID

Android TV

Android AUTO

ANDROID IN DIGITAL SIGNAGE

Android WEAR

Still not convinced?

Hero of the day: MEIZU MX3 DEVICE

amazing CHINA

8 Million PREORDERS

CLAIMSOrigin DESCRIPTIONpopular Android phone BASED on FLYME OS

The phone is sniffing THE WEB TRAFFICSinMEIZU MX APPS sins

XXX: https://member.meizu.com/oauth/access_tokenXXX: x_auth_sn=351BBJJWLZW3&x_auth_mode=sn_authXXX: oauth_token=2d736772c19b250f28dad1090e9b761013089651489596881& oauth_token_secret=86b4a5920134018a52e00814e2303d51&user_id=323817928371&user_name=MariusMailat&new_user=true&flyme=null&isWeak=falseXXX: { "reply":[{"categoryType":0,"id":40002,"imageURL":"http://music.res.meizu.com/fileserver/music_category/12/a1131fd54d174297af1b9ae4a2282546.png","isLeaf":0,"layout":5,"name":"Top Show","numPer":null,"order":100,"resType":1,"resURL":null,"subCategoryCount":0},{"categoryType":0,"id":40013,"imageURL":"http://

XXX: http://open.duomi.com/open/library/suggestion?query=Metal&lc=B9D2DCFA01526C54&conn=wifiXXX: {"dm_error":0,"error_msg":"操作成功","s":["metallica","metallica fade to black",XXX: http://collect.music.meizu.com/service/api/syncPlayList.jsonp updateNanoTime=0&playlist=%5B%5DXXX: { "reply":{"code":200,"message":null,"redirect":null,"value":[{"bigCoverUrl":null,"coverUrl":null,"createTime":new Date(1401834057906),“descriptor":"","entityLastUpdate":0,"hot":0,"id":1521299, „lastPublishTime“:null,"midCoverUrl":null,"name":"我的爱", „nickName":"MariusMailat"

Android Internal

Platform

Object-oriented OSBINDERInitially developed for BeOS later used by Palm (which acquired BeOS)Most of Android infrastructure (services) is supported by BinderBinder is lightweight and high-performanceBound services are "garbage collected" when no longer in useRemote (service) method calls are synchronous (feels like just a function call, even though it’s IPC)Services defined/exposed via AIDL

Anonymous Shared MemoryAshmemReference-counted, virtually mapped, named memory block that is shared between processes that the kernel is allowed to freeSimilar to POSIX SHM but with different behavior and a simpler file-based API (POSIX SHM does not allow the kernel to free shared memory)Android uses ashmem to share resources to minimize redundancy across processesKernel can discard unused shared blocks of memory when under pressureRepresented in the Java layer as android.os.MemoryFile

Anonymous SHared MEMoryAshmemint size = 4096;int fd = ashmem_create_region("MySharedRegionName", size);if (fd > 0) { data = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if(data != MAP_FAILED) { /* for security reasons, no other process can ashmem_create_region() with the same name */ /* instead, to share this memory, we send fd via Binder IPC to another process */ /* that process then mmap()'s it the same way in order to access the shared memory */ }}

ANDROID INIT STARTUP

ANDROID INIT STARTUPAfter kernel loading the process 1 (/init) is createdStarts ueventdInitializes the system clock and loggerSets up global environmentSets up the file system (mount points and symbolic links)Configures kernel timeouts and schedulerConfigures process groupsCreates a basic directory structure on /data and applies permissionsApplies permissions on /cacheApplies permissions on certain /proc pointsInitializes local network (i.e. localhost)Configures the parameters for the low memory killerApplies permissions for system_server and daemonsDefines TCP buffer sizes for various networksConfigures and (optionally) loads various daemons (i.e. services): ueventd, console, adbd, servicemanager, vold, netd, debuggerd, rild, zygote (which in turn starts system_server), mediaserver, bootanimation (one time), and various Bluetooth daemons (like dbus-daemon, bluetoothd, etc.), installd, racoon, mtpd, keystore

Bored already?

ANDROID CONFERENCE DIALERQ1: Pavel, Write your own dialer with conference in 1 click

Response: Not really so easy doable BUT again for everything it is a way maybe?

via https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/InCallPresenter.java

CallCommandClient.getInstance().merge();

brings you to https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/CallCommandClient.java

and this is using the aidl https://android.googlesource.com/platform/packages/services/Telephony/+/master/common/src/com/android/services/telephony/common/ICallCommandService.aidl

you can no TRY to control the https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/CallHandlerService.java

WHAT IS ANDROID FORENSICS?

The use of science and technology to investigate and establish facts in criminal or civil courts of law. Deciding some disputes requires the use of physical evidence.

Motivation?

WHAT IS WRONG WITH THIS PICTURE?

Abel Yenukidze photo tampered

leaves a trace.Every contact

Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him.

All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment.

It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.

Dr. Edmund Locard (1877-1966)

ANDROID FORENSICS, EXTRACT DATA

CELLEBRITE UFED

• Standalone device • Can extract data from 1600+ devices • Covers Android devices • Built-in SIM reader and cloner • Can store output on SD, Flash or PC

enCase Forensics

• Software solution • Android, Blackberry, iOS and WinMobile • Device Settings • Contacts , Call logs • E-mail • Images • SMS/MMS • Calendars

Viaforensics ViaExtract

XWAYS

Micro Systemation XRY

THE NINJA WAY

Way to get access DATA on ANDROID

ACCESS to the DEVICE bypassing the Security lock.1

2

3

Physical data extraction !

Logical data extraction . Yummy.

1. ACCESS THE DEVICE USING SMUDGE ATTACK

1. ACCESS THE DEVICE USING SMUDGE ATTACK

Reboot to bootloader mode:

$ adb reboot bootloader

Using fastboot, load a different ROM (e.g. Clockwork recovery image) and remove the key file related to challenge.

$ adb shell$ su$ rm /data/system/gesture.key

Or in case of password or pin:

$ rm password.key

2. PHYSICAL DATA EXTRACTION

SOFTWARE + HARDWARE

3. LOGICAL DATA EXTRACTION

ADB1

2

3

SQLITE

CONTENT PROVIDERS

4 ANDROID BACKUP SINCE 4.0

$ mount.../dev/block/mtd7lock /system ext3

Check if the command dd is available if not install the BusyBox toolset. As alternative you can use dc3dd or nanddump available on https://github.com/jakev/android-binaries

$ dd if=/dev/block/mtd7lock of=/sdcard/mtd7lock.imgdd

$ adb pull /sdcard/mtd7lock.imgdd mtd7lock.imgdd

$ od -x mtd7lock.imgdd

$ strings mtd7lock.imgdd | grep <your own patterns goes here>

3. LOGICAL DATA EXTRACTION

check more on: http://goo.gl/2vDsmm

3. LOGICAL DATA EXTRACTION for Samsung

Get all the APK-s from the system:

$ adb shell$ su# cd /data/app# tar -cvf /sdcard/all-apps.tar /data/app/*apk# gzip all-apps.tar all-apps.tar.gz$ adb pull /sdcard/all-apps.tar.gz ./$ tar -xvf all-apps.tar ./*apk

3. LOGICAL DATA EXTRACTION

Snoop the databases in the system:

$ find data -name "*.db" –print /data/data/data/data/com.google.android.browser/app_appcache/ApplicationCache.dbdata/data/com.google.android.browser/app_databases/Databases.dbdata/data/com.google.android.browser/app_geolocation/CachedGeoposition.dbdata/data/com.android.providers.calendar/databases/calendar.dbdata/data/com.android.providers.contacts/databases/profile.dbdata/data/com.android.providers.contacts/databases/contacts2.dbdata/data/com.android.providers.downloads/databases/downloads.dbdata/data/com.google.android.email/databases/EmailProvider.dbdata/data/com.google.android.gm/databases/internal.mometan@gmail.com.dbdata/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.dbdata/data/com.google.android.gm/databases/webviewCookiesChromium.dbdata/data/com.google.android.music/databases/music.dbdata/data/com.android.providers.telephony/databases/telephony.dbdata/data/com.android.providers.telephony/databases/mmssms.dbdata/system/accounts.db

3. LOGICAL DATA EXTRACTION

Snoop further:

# sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db

Sqlite> .schema accountsCREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);!sqlite> select * from accounts;||marius@gmail.com|

sqlite> select * from data;!8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/marius%40gmail.com/59w25d6cef09539135|||0!8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10!

3. LOGICAL DATA EXTRACTION

Snoop SMS-s:

sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db

Sqlite> .mode columnsqlite> .header on

sqlite> select address, date, body from sms;

address date body ------------ ------------- -----------------------------------------------------!+411113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ...3410498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-) !+41310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon? !3410498xxxx 1336720272373 Laguna is good. See you at 5:30.

3. LOGICAL DATA EXTRACTION

adb logcat -v time -b radio -d

dmesg - kernel mesages

adb shell getprop - information about the device properties

3. LOGICAL DATA EXTRACTION - LOGCAT

3. LOGICAL DATA EXTRACTION - CONTENT PROVIDERS

#backup all content of an appadb backup com.whatsapp - f whatsapp_backup.ab

#backup everything adb backup -apk -noshared -all -f Backup_06_04_2015.ab

#confirm on the device screen the backup

#extract data from the .ab file

dd if=whatsapp_backup.ab bs=24 skip=1 | openssl zlib -d > whatsapp.tartar xvf whatsapp.tar

3. LOGICAL DATA EXTRACTION - BACKUP

#reboot the bootloaderadb reboot bootloader

#flash the customfastboot boot [recovery-name].img

Turn on USB debugging and remove the gesture.key/password.key

Make a dd copy of the partition

Analyze the partitions using the tools like: The Sleuth Kit (TSK) - http://www.sleuthkit.org/sleuthkit/ or Oxygen Suite - http://www.oxygen-forensic.com

3. LOGICAL DATA EXTRACTION - CUSTOM RECOVERY

HOW TO SNOOP INSIDE OF AN ANDROID APP ?

$ APKTool D BANK.Apk1

2

3

4

$ Jar xvf BANK.apk classes.dex

$ dex2jar.sh classes.dex

> OPEN JD-GUI

5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc

ANDROID ANTI-FORENSICS

Physical destruction1

2

3

OVERWRITING DATA ON YOUR DEVICE

Cryptography or steganography

ANDROID ANTI-FORENSICS

Your safer code ART

Protect the resources

Your code ART

Protect the preferences

SECURITY & CODE guidelines

PROTECT THE APP

Protect the database

SERIOUS PAINTING SKILLS WITH sensitive dataGUIDELINES PROTECT

Encrypt your binaryBu huhu MAGIC via DEXGUARD

PROTECT YOUR OWN ANDROID APP ?

MORE ON ANDROID FORENSICS

Interested in MOre ?

http://stackoverflow.com/questions/28007421/android-image-extraction-from-cache https://github.com/AFFT-520/Android-Free-Forensic-Toolkit https://github.com/soarlab/maline http://freeandroidforensics.blogspot.de/ http://resources.infosecinstitute.com/getting-started-android-forensics/ https://andriller.com/

Thank youQuestions?

MARIUS MAILAT

marius.mailat@appsrise.com