Android Forensics with Free/Open

Source ToolsTurin 7-8 April

Alessandro Di Carlo

• Graduated at University of Camerino• Reviewer and writer of articles for Hakin9,eForensics

Magazine and PenTest Magazine• Writer of articles for Hacker Journal• eCPPT certified – Professional Penetration Tester• Member of IISFA (International Information Systems Forensics

Association)• Member of ONIF (Osservatorio Nazionale Informatica Forense)• Security Expert , System Analyst and Trainer for Tiger Security

Srl

$WHOAMI

• “Digital forensics is a branch of forensics science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime”• Mobile device forensics is a branch of digital forensics which

deals with extracting, recovering and analyzing digital evidence or data from a mobile device under forensically sound conditions.

What is Digital Forensics?

Investigation

Seizure and

Isolation

Acquisition

Examination and

Analysis

Reporting

Phases in Mobile Forensics

Very important questions• Is Device Turn on?• Is Device Turn off?• If is Turn on, is it protect with passcode?• If is Turn on, is it unlocked?• …

Prevent alteration of data

Flight Mode

Faraday Bad

Eject Sim Card

• You can do shutdown though smartphone is locked!• Is there a PIN after reboot?• Total loss of data loaded into RAM!!

Pay attention at shutdown!!

• Mainly we have two type of acquisition

Acquisition

Logical Acquisition Physical Acquisition

• Logical extraction is analogous to copying and pasting a folder in order to extract data from a system• If any hidden or deleted files are present in the folder beind

copied, they will not be in the pasted version of the folder

Logical Acquisition

• Deleted data can be recovered from logical extraction only if they are stored in a SQLite database• The data can be recovered is :

1. Contact2. Call logs3. Sms/mms4. Application data5. System logs and information

Logical Acquisition

Logical Acquisition – File System directory

Logical Acquisition – File System directory

Hey man, I have lock screen!• Hey bro…what kind of lock screen have you?!?

Hey man, I have lock screen!• Break the Passcode!! 😎

Smudge Attack!

Hey man, I have lock screen!• Break the Passcode!! 😎

Pattern Lock attack

We can delete this file!!

Hey man, I have lock screen!• Break the Passcode!! 😎

Cracking PIN• The PIN key is located in

/data/system/password.key

• Not easy to decrypt, it depends on the strength of the password !!

We can delete this file!!

Logical Acquisition with ADB

• This tool is awesome in a lot of case• For example, in a small investigation, with the simple command

pull we can , obviously , pull single file or entire directories directly from the device to examiner computer

Logical Acquisition with ADB

Logical Acquisition with ADB

Logical Acquisition with ADB• Use ADB is possible when we have USB Debug active• If we haven’t it, WTF doing?!?!?

Logical Acquisition with ADB

Logical Acquisition with ADB• When device is in bootloader mode, the fastboot protocol

could be used!• Is bootloader protected?• YES = S-ON ; active protection, inhibited protocol• NO = S-OFF ; inhibited protection , active protocol

• Exploit to get S-OFF

Physical Extraction

• Physical extraction is an exact bit-for-bit image of electronic media• Whit this extraction we can extract everything! • We could perform a physical extraction simply with dd linux

command

Physical Extraction

Free/Open tools

Free/Open tools

http://www.caine-live.net

http://www.deftlinux.net/it/

Free/Open tools

Demo!

Contact me@samaritan_o

https://www.facebook.com/dikkemberg

https://it.linkedin.com/in/alessandrodicarlo92

https://keybase.io/samaritan

alessandro.dicarlo@yahoo.italessandro.dicarlo@tigersecurity.pro

www.alessandrodicarlo.com(Under Manteinance Online on the 11-04-2016)

Thanks you!