Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics...
Transcript of Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics...
Jessica Hyde
June 8, 2018
Jessica HydeDirector of Forensics – Magnet ForensicsAdjunct Professor – George Mason University
Every Step You Take:Application and Network Usage in Android
Jessica
SANS DFIR Summit - 2018
Director Forensics, Magnet Forensics Adjunct Professor, George Mason University
Previous:• Basis Technology• Ernst and Young• American Systems• United States Marine Corps
Traditional Mobile Analysis
SANS DFIR Summit - 2018
Looks
Focus on App analysis Artifacts First
● Web Browsers● Chat App● Email
Traditional Mobile Analysis
SANS DFIR Summit - 2018
Looks
Digging for Application Data● Taught in courses, ie FOR585● Methodology for unsupported app data
○ Discover○ Test○ Find○ Parse○ Script
Why Android Application Usage Analysis
SANS DFIR Summit - 2018
Looks
● We do this for computer investigations!○ OS Artifacts
● Why don’t we apply this concept to our Android applications?
● Why would it be useful?
Using Application Analysis
SANS DFIR Summit - 2018
Looks
● Pattern of Life Analysis
Using Application Analysis
SANS DFIR Summit 2018
Looks
● Pattern of Life Analysis● Showing a lack of a particular usage
Using Application Analysis
SANS DFIR Summit - 2018
Looks
● Pattern of Life Analysis● Showing a lack of a particular usage● Supporting artifacts for sync’d data
com.vending.Android
Looks
SANS DFIR Summit - 2018
com.vending.Android
Looks
● Tracks purchases BUT● It LIES!
○ Multi-user○ Second Device
● \data\com.android.vending\databases\library.db
SANS DFIR Summit - 2018
Android Usagestats
Looks
● Tells you what file was in the foreground, background, etc.
● \data\system\usagestats\0\● ..\daily, \monthly. \weekly,
\yearly● .xml file named as epoch
timestamp
SANS DFIR Summit - 2018
Android Usage History
Looks
● https://developer.android.com/reference/android/app/usage/UsageEvents.Event○ User Interaction○ Move to Foreground○ Move to Background○ Configuration Change
SANS DFIR Summit - 2018
Android Usagestats
Looks
SANS DFIR Summit - 2018
Android Usagestats
Looks
SANS DFIR Summit - 2018
Battery Status
Looks
● Monitors Battery usage● system\batterystats-daily.xml● \data\data\com.google.androi
d.gms\shared_prefs\Batterystats.xml
● Think of this as SRUM for Android
SANS DFIR Summit - 2018
Battery Status
Looks
● \data\data\com.google.android.gms\shared_prefs\Batterystats.xml
SANS DFIR Summit - 2018
BatterystatsDumpsysTask
Looks
● \data\data\com.google.android.gms\files\BatterystatsDumpsysTask.gz
SANS DFIR Summit - 2018
BatterystatsDumpsysTask
Looks
SANS DFIR Summit - 2018
BatterystatsDumpsysTask
Looks
SANS DFIR Summit - 2018
Recent Images
Looks
● \system_ce\0\recent_images
SANS DFIR Summit - 2018
Recent Images
Looks
● \system_ce\0\recent_images
SANS DFIR Summit - 2018
Recent Images
Looks
SANS DFIR Summit - 2018
Recent Tasks
Looks
● \system_ce\0\recent_tasks
SANS DFIR Summit - 2018
Recent Tasks
Looks
● \system_ce\0\recent_tasks
SANS DFIR Summit - 2018
Recent Tasks
Looks
SANS DFIR Summit - 2018
Recent Tasks
Looks
SANS DFIR Summit - 2018
Recent Tasks
Looks
SANS DFIR Summit - 2018
Recent Tasks
Looks
SANS DFIR Summit - 2018
Recent Tasks
Looks
SANS DFIR Summit - 2018
Recent Tasks
Looks
SANS DFIR Summit - 2018
● task_id - 244● effective_uid = 10103● first active time = 1526045035484
May 11, 2018 1:23:55:484 PM● last active time = 1526045600000
May 11, 2018 1:33:20 PM● last time moved = 1526045563392● May 11, 2018 1:32:43:392
Snapshots
Looks
SANS DFIR Summit - 2018
● \system_ce\0\shortcut_service\ snapshots
Snapshots
Looks
SANS DFIR Summit - 2018
Snapshots
Looks
SANS DFIR Summit - 2018
Snapshots
Looks
SANS DFIR Summit - 2018
3rd Party
Looks
● com.cleanmaster.security○ On lots of devices○ Logs battery usage○ Logs application usage
SANS DFIR Summit - 2018
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
media\0\Android\data\com.cleanmaster.security\files\logs\
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
media\0\Android\data\com.cleanmaster.security\files\logs\AppLockLog
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
media\0\Android\data\com.cleanmaster.security\files\logs\PerfMetricsReport
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
Google Cloud Activity
Looks
● Takeout○ Download “My Activity” from
https://takeout.google.com/u/1/settings/takeout with credentials
SANS DFIR Summit - 2018
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
Putting it all together
SANS DFIR Summit - 2018
Artifact Task ID Effective
UID
app Event UNIX Timestamp Time Date
com.vending.android com.twitter.android Purchase 1524064586032 4/18/18 3:16 PM
uid stats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 12:00 PM
recent tasks 244 10103 com.twitter.android first active time 1526045035484 5/11/18 1:23 PM
snapshots 244 Twitter jpg of @CollinRusty
twitterpage5/11/18 1:25 PM
snapshots 244 Twitter reduced .jpg of
@CollinRusty5/11/18 1:25 PM
recent tasks 244 10103 com.twitter.android last time moved 1526045563392 5/11/18 1:32 PM
snapshots 244 Twitter .proto file 5/11/18 1:32 PM
recent tasks 244 10103 com.twitter.android last active time 1526045600000 5/11/18 1:33 PM
uid netstats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 2:00 PM
SANS DFIR Summit - 2018
• Founded in 2007
• Headquartered in San Francisco, California, USA
• On December 7, 2016, Fitbit officially announced that they acquired assets from Pebble
• January 2017, Fitbit acquired Romania-based smartwatch startup Vector Watch SRL
• June 2011: Fitbit criticized for its website's default activity-sharing settings, which made users'
manually-entered physical activities available for public viewing
• Some users were including details about their sex lives in their daily exercise logs, and this
information was, by default, publicly available
SANS DFIR Summit - 2018
• Fitbit as evidence in investigations:
• “Woman’s fitness watch disproved rape report”
• http://abc27.com/2015/06/19/police-womans-fitness-watch-disproved-rape-report/
• http://fusion.net/story/158292/fitbit-data-just-undermined-a-womans-rape-claim/
• “When Fitbit Is the Expert Witness” (personal trainer – civil case)
• https://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expert-
witness/382936/
• http://theconversation.com/how-your-fitbit-data-can-and-will-be-used-against-you-in-a-
court-of-law-34580
SANS DFIR Summit - 2018
• Fitbit as evidence in investigations:
• “Big Brother was definitely watching as George Burch killed Nicole VanderHyden”
• https://www.greenbaypressgazette.com/story/news/2018/03/04/big-brother-phone-
george-burch-nicole-vanderheyden-murder-trial-gps-fitbit-snapshot-google/390236002/
SANS DFIR Summit - 2018
Profiles
SANS DFIR Summit - 2018
Profiles
SANS DFIR Summit - 2018
Fitbit – Profiles
SANS DFIR Summit - 2018
Fitbit – Profiles
SANS DFIR Summit - 2018
How this could help
• Name associated to
User ID
• Personal info / profile
pic
• Stride length could
come in handy
depending on your
case
Profiles
SANS DFIR Summit - 2018
Caveats
• Stride length calculated
by using your gender
and height (user entered)
• Can be adjusted
• https://help.fitbit.com/arti
cles/en_US/Help_article/
1135
Profiles
SANS DFIR Summit - 2018
Steps
Steps
SANS DFIR Summit - 2018
Steps
Steps
SANS DFIR Summit - 2018
Fitbit – Steps
SANS DFIR Summit - 2018
How this could help
• Great evidence to show
a person’s level of
activity, time of activity,
and amount at a
particular time
• Ties back to the false
rape case
• Presence/lack of
movement during a
crime
Steps
SANS DFIR Summit - 2018
Floors
Climbed
Floors Climbed
SANS DFIR Summit - 2018
Floors Climbed
SANS DFIR Summit - 2018
Fitbit – Floors Climbed
SANS DFIR Summit - 2018
How this could help
• Indicates overall activity
for the day
• Can show a trend of
activity over a number of
days
Floors Climbed
SANS DFIR Summit - 2018
Heart Rate
Heart Rate
SANS DFIR Summit - 2018
Heart Rate
SANS DFIR Summit - 2018
Fitbit – Heart Rate
SANS DFIR Summit - 2018
How this could help
• Great indicator of the
user’s physical exertion
at points in time (5 min
segments)
• Can especially help if
graphed over time
• Why was there a spike at
specific time? (e.g. time
crime committed)
Heart Rate
SANS DFIR Summit - 2018
Sleep
Sleep
SANS DFIR Summit - 2018
Sleep
Sleep
SANS DFIR Summit - 2018
Fitbit - Sleep
SANS DFIR Summit - 2018
How this could help
• Another very helpful
indicator
• Remember the false
rape case mentioned
earlier
• Place someone at
specific times
• Some questions around
time awake/time asleep
numbers
Sleep
SANS DFIR Summit - 2018