Phoning it in: Heather talks about Smartphone Forensics...
-
Upload
trinhkhanh -
Category
Documents
-
view
214 -
download
1
Transcript of Phoning it in: Heather talks about Smartphone Forensics...
Phoningitin:HeathertalksaboutSmartphoneForensics
HeatherMahalikCopyright@2017HeatherMahalik,AllRightsReserved
Aboutme…
• Director,ForensicEng.AtManTechCARD• SANSSeniorInstructor• InvolvedwithInfoSec/Forensicsfor15+years• Co-authorofFOR585• InstructorofFOR585andFOR408• Co-AuthorofPracUcalMobileForensics(1stand2ndEdiUons)
• Momandawife• Dog,horse,wineandbourbonloverJ
Copyright@2017HeatherMahalik,AllRightsReserved
Agenda
• Whatispossibleinsmartphoneforensics?• EncrypUonandlocks–aretheyashowstopper?
• Tools–canyoutrustthem?• ValidaUonoftoolsandarUfacts• FOR585,GASF,blogsandmore
Copyright@2017HeatherMahalik,AllRightsReserved
What’shappeninginsmartphonesecurity
• FulldiskencrypUonreadilyavailable– Morepeopleareusingit– Somedevicesrequireit– HurtsacquisiUon?
• Passwordsencouraged• ApplicaUonsecurity• MDM
Copyright@2017HeatherMahalik,AllRightsReserved
Whatdoesthismean?
• Thestateofeverymobiledevicemayvary• YouneedtobepreparedforallsituaUons• Youwillneedmorethanonetool• YouwillneedtheskillstomanuallycarveforforensicarUfacts
• Youmaybe100%blockedfromthedata
Copyright@2017HeatherMahalik,AllRightsReserved
Whatshouldyoudoaboutit
• Considertheissue– EncrypUon,locks,lackofparsingsupport…
• Considertoolsavailabletoyou– Commercial,opensourceandscripts
• DetermineanacUonplan• MakesureyouracUonsdonotdestroyyourevidence!!!
Copyright@2017HeatherMahalik,AllRightsReserved
FullDiskEncrypUon• iOS
– HardwarelevelencrypUonstoredbetweentheflashmemoryandthesystemareain"EffaceableStorage”
• AndroidLollipop/Marshmallow/Nougat– Offeredformostdevices
• WindowsPhone8/10– IncorporatesBitlockerTechnology
• BlackBerry/BlackberryOS10– HardwarelevelencrypUon– Trustedasmostsecure*
Copyright@2017HeatherMahalik,AllRightsReserved
Userlocks
• Mostsmartphonesareoienlocked• PINorsimplepasscode• Passphraseorcomplexpasscode• Biometriclocks
Copyright@2017HeatherMahalik,AllRightsReserved
ApplicaUon“ProtecUon”
EncodingSchemes
ASCII
Unicode
UTF-8
Base64
EncrypUonAlgorithms
AES
Blowfish
Twofish
Serpent
Transforming/converting data into code
Copyright@2017HeatherMahalik,AllRightsReserved
FullDiskEncrypUon
• Canyoudisableit?• CanyourtoolbypassitorinterjectpriortobooUng?
• Canyoubypassitaierthefact?• Considertheothercomponents
Copyright@2017HeatherMahalik,AllRightsReserved
Userlocks• Trytocrackthat$@!%• Considertoolstohelpyou• Using“SmartLocks”
Copyright@2017HeatherMahalik,AllRightsReserved
WhatabouttheLockdownFiles?
• CanbeusedtobypassalockeddeviceforacquisiUon
• Maynotalwayswork,butit’sworthashot
Copyright@2017HeatherMahalik,AllRightsReserved
ApplicaUonEncrypUon
• Useatooltoviewthefilesystem
• ExportapplicaUonfilesofinterest
• ManuallycarveforuserarUfactsthatarenotparsed
Copyright@2017HeatherMahalik,AllRightsReserved
Example:CyberDust(1)• Olderversionsclaimtoremovealluserdataupontransmission/receipt– Nevertrustclaimsoryourtool– ReviewAppfilesforuseracUvity
Copyright@2017HeatherMahalik,AllRightsReserved
Example:CyberDust(2)
• MessagesareencodedtwiceusingBase64
Copyright@2017HeatherMahalik,AllRightsReserved
HaveyouexhaustedallopUons?
Thinkoutsidethebox…or“inside”theboxandcloud
Copyright@2017HeatherMahalik,AllRightsReserved
Considerthebackupfiles
• Doyouhaveaccesstothehostcomputer?– AssumingtheuserhassyncedwithiTunes– UseatoollikeElcomsoitocrackthepassword
• Usethepairingrecordtoaccessthedevice– ThepairingrecordisauniquekeyassociatedtotheiOSdevice
– PairingrecordsarerequiredforcommunicaUonwiththedevicesinceiOS7
• Willnotworkonafreshlyrestarteddevice• Limiteddatamayberecovered
Copyright@2017HeatherMahalik,AllRightsReserved
Willyourtoolcatchyouwhenyoufall?
• Willyoubeabletodefendtheevidence?
• Canyoufindthedata?• Whatifthetoolscontradictoneanother?
• UnderstandthearUfacts• Don’tknowjustenoughtobedangerous
Copyright@2017HeatherMahalik,AllRightsReserved
Whythetoolsfail…
• Thereissomuchdata• ToomanyapplicaUons• OSupdates• KnowingwheretofindthisinformaUonisthehardestpart
• KnowinghowthearUfactwascreatediskey!
Copyright@2017HeatherMahalik,AllRightsReserved
Example1:CallLogs(1)MagnetIEF
UFEDPhysicalAnalyzer
CallLogsLibrary/CallHistory/call_history.dbLibrary/CallHistory/callhistory.storedata(iOS8,9&10)
Copyright@2017HeatherMahalik,AllRightsReserved
Example2:AppleMapsiOS8,9&10* iOS7
AppleMapsLibrary/Maps/History.mapsdataLibrary/Maps/GeoHistory.mapsdata(iOS8,9&10?)
Copyright@2017HeatherMahalik,AllRightsReserved
Whydataismissed(1)
• Socialmediageo-tagging– Facebook– Google+– Twiuer– Etc.
• Considerwhattracesareleibehindwhentheuser“checks-in”andtagsalocaUon
Copyright@2017HeatherMahalik,AllRightsReserved
Whydataismissed(2)• Diggingdeeperintotheapps
– Whataretheyreallydoing?
Copyright@2017HeatherMahalik,AllRightsReserved
RecommendedSteps
• UsetoolsforTriage– Whichtool–well,itdepends…
• Usemorethanonetool– AcquisiUon– Analysis
• Don’tbeafraidtodoityourself!• Alwaysverifyyourresults
Copyright@2017HeatherMahalik,AllRightsReserved
EssenUalskilldevelopment
• LearnhowdataisstoredonAndroidandiOSdevices
• LearnhowtoidenUfytracesofOSupgrades• LearndecodingandmanualexaminaUontechniques
• Findwaystooutsmartyourtools• TakeFOR585tomakesureyoubuildthenecessaryskillstoeffecUvelyexaminethenextsmartphoneyousee(andyouwillseeone…)
Copyright@2017HeatherMahalik,AllRightsReserved
About585…
• Courselaunchedin2014• GASFCert–Vendorneutralavailabletoeveryone• Co-authoredwithLeeCrognaleandCindyMurphy• Addressesthehardesttotackletopics• CoversiOS,BlackBerry,Android,WindowsPhone,Knock-off,Nokia,3rdPartyApps,Malware,SQLiteexaminaUonsandmore
• Includes17hands-onlabsofcurrentsmartdevices• IsvendorNEUTRAL–Weteachyouthebestmethods
Copyright@2017HeatherMahalik,AllRightsReserved
FOR585AdvancedSmartphoneForensicsCourseAvailableAt:
Aus/n,TX–June2017*
SANSFIRE:Washington,DC–July2017*Chicago–August2017SanFran–Sept2017
NetSec:LasVegas–Sept2017*Berlin–Oct2017*Sydney–Nov2017
CDI:Washington,Dc–Dec2017*OnDemand–Any/meyouwant!
*FOR585–vLive–LearninyourPJswithabeerthissummer!
UpcomingCourses
GIACGASFCerUficaUon
• Allstudentswhoauendqualifyfordiscounted,freeorbundle-pricing
• Vendor-neutral• ProvesyouknowhowtostandbehindthearUfacts!
• TakeFOR585nowandjoinforceswiththosewhoearnedthissoughtaiercert
Copyright@2017HeatherMahalik,AllRightsReserved
Bouomline…
• Jokingly:Therearemorepeopleintheworldwithasmartphonethanthosewhohaveaccesstoatoilet!
• Seriously:MostinvesUgaUonsinvolveasmartphone– Willyouknowwheretofindthedata?– Willyouneedtorelyonyourtools?– Doyouhaveacerttobackyou?
Copyright@2017HeatherMahalik,AllRightsReserved
• FOR585 Advanced Smartphone Forensics • Practical Mobile Forensics , 2nd edition • Learning iOS Forensics, 2nd edition • http://smarterforensics.com • https://andriller.com/ • https://sandersonforensics.com • http://az4n6.blogspot.com/p/downloads.html • http://cheeky4n6monkey.blogspot.com/ • www.mac4n6.com
References, Sources and Suggested Reading
QUESTIONS?
[email protected]@HeatherMahalikBlog:for585.com/blog
Copyright@2017HeatherMahalik,AllRightsReserved