phoning it in: heather talks about smartphone forensics...

Phoningitin:HeathertalksaboutSmartphoneForensics

HeatherMahalikCopyright@2017HeatherMahalik,AllRightsReserved

Aboutme…

•  Director,ForensicEng.AtManTechCARD•  SANSSeniorInstructor•  InvolvedwithInfoSec/Forensicsfor15+years•  Co-authorofFOR585•  InstructorofFOR585andFOR408•  Co-AuthorofPracUcalMobileForensics(1stand2ndEdiUons)

•  Momandawife•  Dog,horse,wineandbourbonloverJ

Copyright@2017HeatherMahalik,AllRightsReserved

Agenda

•  Whatispossibleinsmartphoneforensics?•  EncrypUonandlocks–aretheyashowstopper?

•  Tools–canyoutrustthem?•  ValidaUonoftoolsandarUfacts•  FOR585,GASF,blogsandmore


What’shappeninginsmartphonesecurity

•  FulldiskencrypUonreadilyavailable– Morepeopleareusingit– Somedevicesrequireit– HurtsacquisiUon?

•  Passwordsencouraged•  ApplicaUonsecurity•  MDM


Whatdoesthismean?

•  Thestateofeverymobiledevicemayvary•  YouneedtobepreparedforallsituaUons•  Youwillneedmorethanonetool•  YouwillneedtheskillstomanuallycarveforforensicarUfacts

•  Youmaybe100%blockedfromthedata


Whatshouldyoudoaboutit

•  Considertheissue– EncrypUon,locks,lackofparsingsupport…

•  Considertoolsavailabletoyou– Commercial,opensourceandscripts

•  DetermineanacUonplan•  MakesureyouracUonsdonotdestroyyourevidence!!!


FullDiskEncrypUon•  iOS

–  HardwarelevelencrypUonstoredbetweentheflashmemoryandthesystemareain"EffaceableStorage”

•  AndroidLollipop/Marshmallow/Nougat–  Offeredformostdevices

•  WindowsPhone8/10–  IncorporatesBitlockerTechnology

•  BlackBerry/BlackberryOS10–  HardwarelevelencrypUon–  Trustedasmostsecure*


Userlocks

•  Mostsmartphonesareoienlocked•  PINorsimplepasscode•  Passphraseorcomplexpasscode•  Biometriclocks


ApplicaUon“ProtecUon”

EncodingSchemes

ASCII

Unicode

UTF-8

Base64

EncrypUonAlgorithms

AES

Blowfish

Twofish

Serpent

Transforming/converting data into code


It’sUmetooutsmartyourtoolsandthesecurityfeatures!

FullDiskEncrypUon

•  Canyoudisableit?•  CanyourtoolbypassitorinterjectpriortobooUng?

•  Canyoubypassitaierthefact?•  Considertheothercomponents


Userlocks•  Trytocrackthat$@!%•  Considertoolstohelpyou•  Using“SmartLocks”


WhatabouttheLockdownFiles?

•  CanbeusedtobypassalockeddeviceforacquisiUon

•  Maynotalwayswork,butit’sworthashot


ApplicaUonEncrypUon

•  Useatooltoviewthefilesystem

•  ExportapplicaUonfilesofinterest

•  ManuallycarveforuserarUfactsthatarenotparsed


Example:CyberDust(1)•  Olderversionsclaimtoremovealluserdataupontransmission/receipt– Nevertrustclaimsoryourtool– ReviewAppfilesforuseracUvity


Example:CyberDust(2)

•  MessagesareencodedtwiceusingBase64


Example:Telegram(1)


Example:Telegram(2)


HaveyouexhaustedallopUons?

Thinkoutsidethebox…or“inside”theboxandcloud


Considerthebackupfiles

•  Doyouhaveaccesstothehostcomputer?– AssumingtheuserhassyncedwithiTunes– UseatoollikeElcomsoitocrackthepassword

•  Usethepairingrecordtoaccessthedevice–  ThepairingrecordisauniquekeyassociatedtotheiOSdevice

–  PairingrecordsarerequiredforcommunicaUonwiththedevicesinceiOS7

•  Willnotworkonafreshlyrestarteddevice•  Limiteddatamayberecovered


Willyourtoolcatchyouwhenyoufall?

•  Willyoubeabletodefendtheevidence?

•  Canyoufindthedata?•  Whatifthetoolscontradictoneanother?

•  UnderstandthearUfacts•  Don’tknowjustenoughtobedangerous


Whythetoolsfail…

•  Thereissomuchdata•  ToomanyapplicaUons•  OSupdates•  KnowingwheretofindthisinformaUonisthehardestpart

•  KnowinghowthearUfactwascreatediskey!


Example1:CallLogs(1)MagnetIEF

UFEDPhysicalAnalyzer

CallLogsLibrary/CallHistory/call_history.dbLibrary/CallHistory/callhistory.storedata(iOS8,9&10)


Example1:CallLogs(2)Calllogs

iOS7

iOS8,9&10


Example2:AppleMapsiOS8,9&10* iOS7

AppleMapsLibrary/Maps/History.mapsdataLibrary/Maps/GeoHistory.mapsdata(iOS8,9&10?)


Whydataismissed(1)

•  Socialmediageo-tagging–  Facebook–  Google+–  Twiuer–  Etc.

•  Considerwhattracesareleibehindwhentheuser“checks-in”andtagsalocaUon


Whydataismissed(2)•  Diggingdeeperintotheapps

– Whataretheyreallydoing?


RecommendedSteps

•  UsetoolsforTriage– Whichtool–well,itdepends…

•  Usemorethanonetool– AcquisiUon– Analysis

•  Don’tbeafraidtodoityourself!•  Alwaysverifyyourresults


EssenUalskilldevelopment

•  LearnhowdataisstoredonAndroidandiOSdevices

•  LearnhowtoidenUfytracesofOSupgrades•  LearndecodingandmanualexaminaUontechniques

•  Findwaystooutsmartyourtools•  TakeFOR585tomakesureyoubuildthenecessaryskillstoeffecUvelyexaminethenextsmartphoneyousee(andyouwillseeone…)


About585…

•  Courselaunchedin2014•  GASFCert–Vendorneutralavailabletoeveryone•  Co-authoredwithLeeCrognaleandCindyMurphy•  Addressesthehardesttotackletopics•  CoversiOS,BlackBerry,Android,WindowsPhone,Knock-off,Nokia,3rdPartyApps,Malware,SQLiteexaminaUonsandmore

•  Includes17hands-onlabsofcurrentsmartdevices•  IsvendorNEUTRAL–Weteachyouthebestmethods


FOR585AdvancedSmartphoneForensicsCourseAvailableAt:

Aus/n,TX–June2017*

SANSFIRE:Washington,DC–July2017*Chicago–August2017SanFran–Sept2017

NetSec:LasVegas–Sept2017*Berlin–Oct2017*Sydney–Nov2017

CDI:Washington,Dc–Dec2017*OnDemand–Any/meyouwant!

*FOR585–vLive–LearninyourPJswithabeerthissummer!

UpcomingCourses

GIACGASFCerUficaUon

•  Allstudentswhoauendqualifyfordiscounted,freeorbundle-pricing

•  Vendor-neutral•  ProvesyouknowhowtostandbehindthearUfacts!

•  TakeFOR585nowandjoinforceswiththosewhoearnedthissoughtaiercert


Bouomline…

•  Jokingly:Therearemorepeopleintheworldwithasmartphonethanthosewhohaveaccesstoatoilet!

•  Seriously:MostinvesUgaUonsinvolveasmartphone– Willyouknowwheretofindthedata?– Willyouneedtorelyonyourtools?– Doyouhaveacerttobackyou?


•  FOR585 Advanced Smartphone Forensics •  Practical Mobile Forensics , 2nd edition •  Learning iOS Forensics, 2nd edition •  http://smarterforensics.com •  https://andriller.com/ •  https://sandersonforensics.com •  http://az4n6.blogspot.com/p/downloads.html •  http://cheeky4n6monkey.blogspot.com/ •  www.mac4n6.com

References, Sources and Suggested Reading

QUESTIONS?

[email protected]@HeatherMahalikBlog:for585.com/blog


phoning it in: heather talks about smartphone forensics...

Documents