network forensics: uncovering secrets of mobile … · intro •...
TRANSCRIPT
![Page 1: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/1.jpg)
Eric FultonBlackHat | Webcasts
Sponsored by: ForeScout
NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE APPLICATIONS
1Wednesday, June 13, 2012
![Page 2: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/2.jpg)
ROADMAP• Introduction• Explanation of different mobile fields• Methods of Interception• Case Study – Facebook Traffic• Case Study – Identification of Installed Applications• NFPC Contest• Wrap-‐up
2Wednesday, June 13, 2012
![Page 3: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/3.jpg)
INTRO• Eric Fulton, Director of Research at LMG Security
• @Trisk3t• LMGSecurity.com
• Other Learning Opportunities• Network Forensics, BlackHat USA, July 21-‐24 2012• www.ForensicsContest.com• DEFCON Contest (#NFPC)
• Why Network Forensics…
3Wednesday, June 13, 2012
![Page 4: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/4.jpg)
MOBILE DEVICE FIELDS • Network Forensics• Hardware Analysis
• NFC• Huawei
• File System Analysis• Much like traditional forensics
• Application Analysis• Mobile Malware• CarrierIQ
• Radio Analysis
4Wednesday, June 13, 2012
![Page 5: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/5.jpg)
MOBILE NETWORK FORENSICS
• Identifying and analyzing data sent via wireless signals• Relatively easy to intercept• Often contains sensitive and identifying information• Plethora of existing tools and learning aids
5Wednesday, June 13, 2012
![Page 6: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/6.jpg)
METHODS OF INTERCEPTION• GnuRadio
• Interception GSM and CDMA signals via software defined radio• (or get a HAM license, see Chris Paget’s talk) • Allows for voice, text, and data interception
• Wifi• Interception and MiTM of data packets• Especially effective with SSLSniff• Analysis on a corporate network (BYOD Identification)
6Wednesday, June 13, 2012
![Page 7: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/7.jpg)
ANALYSIS OF FACEBOOK TRAFFICCase Study
7Wednesday, June 13, 2012
![Page 8: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/8.jpg)
MOBILE FACEBOOK TRAFFIC
8Wednesday, June 13, 2012
![Page 9: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/9.jpg)
DECRYPTING IN WIRESHARK
9Wednesday, June 13, 2012
![Page 10: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/10.jpg)
FACEBOOK DECRYPTED
10Wednesday, June 13, 2012
![Page 11: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/11.jpg)
MOBILE APPLICATION STREAM ANALYSIS
11Wednesday, June 13, 2012
![Page 12: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/12.jpg)
ANALYZING INSTALLED APPLICATIONSCase Study
12Wednesday, June 13, 2012
![Page 13: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/13.jpg)
HERE IS AN INSTALLED APPLICATION
13Wednesday, June 13, 2012
![Page 14: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/14.jpg)
QUESTIONS TO KEEP IN MIND• How do you identify installed applications when you don’t own the
device?• Can you determine the intent of the application via network
traffic?• Are you able to identify sensitive information being exfiltrated by
an application?
14Wednesday, June 13, 2012
![Page 15: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/15.jpg)
15Wednesday, June 13, 2012
![Page 16: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/16.jpg)
16Wednesday, June 13, 2012
![Page 17: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/17.jpg)
MOBILE APPLICATION TRAFFIC
17Wednesday, June 13, 2012
![Page 18: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/18.jpg)
WHAT DO YOU SEE?
18Wednesday, June 13, 2012
![Page 19: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/19.jpg)
TELNUM? M_ADDR?
19Wednesday, June 13, 2012
![Page 20: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/20.jpg)
ZOOM. ENHANCE.
20Wednesday, June 13, 2012
![Page 21: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/21.jpg)
LET US @DIG DEEPER
21Wednesday, June 13, 2012
![Page 22: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/22.jpg)
WHOIS
22Wednesday, June 13, 2012
![Page 23: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/23.jpg)
WHOIS
23Wednesday, June 13, 2012
![Page 24: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/24.jpg)
24Wednesday, June 13, 2012
![Page 25: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/25.jpg)
25Wednesday, June 13, 2012
![Page 26: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/26.jpg)
DISCUSSION
• How could you identify malware in an enterprise?
• How could you prevent malware in an enterprise?
• What else could you do with the information found?
26Wednesday, June 13, 2012
![Page 27: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/27.jpg)
NETWORK FORENSICS PUZZLE CONTEST
• Puzzle #10: PaulDotCom Goes Off the Air• http://forensicscontest.com/2012/05/31/puzzle-‐10-‐pauldotcom-‐goes-‐off-‐the-‐air
• Winner gets a BlackHat Black Card!• #NFPC @ Defcon 20• Winner gets an iPad!
27Wednesday, June 13, 2012
![Page 28: NETWORK FORENSICS: UNCOVERING SECRETS OF MOBILE … · INTRO • EricFulton,DirectorofResearchatLMGSecurity/ • @Trisk3t • LMGSecurity.com • OtherLearningOpportunities • Network/Forensics,BlackHat/USA,July21242012](https://reader030.vdocuments.us/reader030/viewer/2022040716/5e202cfe7110143c3f45a3cc/html5/thumbnails/28.jpg)
THANKS!
Questions?
28Wednesday, June 13, 2012