STATE-OF-ART OF MOBILE FORENSICS
YURY CHEMERKIN
SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
FORENSICS ACQUISITION METHODS
METHODOLOGY
METHODS
 PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BYBIT COPY OF AN ENTIRE PHYSIC...
NETWORK AND OTA ISOLATION
TRADITION
 GOAL:
 PREVENTING DEVICE FROM ANY CHANGES INCL.
MALWARE TRIGGERS
 SOLUTION:
 AIRP...
“PUSH” TECHNOLOGY
DIFFERENCE BY IMPLEMENTATION (PROTOCOL):

DIFFERENCE BY REALIZATION (USER EXPERIENCE):

 BLACKBERRY SMA...
PASSWORD PROTECTION
AN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS
 BLACKBERRY
 ASCII PRINTABLE CHARACTERS – NOT ...
PASSWORD EXTRACTION AND BYPASSING
DEAD FORENSICS SOLUTION
 ELCOMSOFT SOLUTION FOR BLACKBERRY
 BACKUP DATA, WALLET
 DEVI...
PASSWORD EXTRACTION AND BYPASSING
CLASSIC FORENSICS
DEALING WITH EXPIRATION
 GOAL – GATHERING LOGS, DUMPS, BACKUP,
OTHER DATA
 SOLUTION – SDK TOOLS OR SIM...
CLASSIC FORENSICS
ANY DELAY LEAVE US FAR BEHIND
 EXIF DATA
 CAMERA MAKE
 RIM/BLACKBERRY/ANDROID
/HTC
 CAMERA MODEL
 D...
LIVE FORENSICS
DEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARE
 PRIVATE DATA - THROUGH THE API ONLY
 BLACKBERRY CONTACT - EM...
LIVE FORENSICS
CONCLUSION
DEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT...
LACK OF SIMULATION ENVIRONMENTS
THE MODERN SECURITY TR...
THANK YOU
YURY CHEMERKIN
HAKIN9 MAGAZINE REPRESENTATIVE
Upcoming SlideShare
Loading in …5
×

Yury chemerkin _cyber_crime_forum_2012

450 views
302 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
450
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Yury chemerkin _cyber_crime_forum_2012

  1. 1. STATE-OF-ART OF MOBILE FORENSICS YURY CHEMERKIN SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
  2. 2. FORENSICS ACQUISITION METHODS METHODOLOGY METHODS  PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BYBIT COPY OF AN ENTIRE PHYSICAL STORE  LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT COPY OF LOGICAL STORAGE  MANUAL ACQUISITION TECHNIQUE IS UI UTILIZING TO GET PICTURES OF DATA FROM THE SCREEN. DATA TYPES  ALL AVAILABLE TYPES  ADDRESS BOOK/MESSAGES,  GEO/FILES/PASSWORD… ETC REALITY METHODS  COMMERCIALLY FORENSIC SOFTWARE TOOLS MANAGE WITH FULL COPY OF THE DEVICE DATA  BACKUP IS FULL COPY OF DEVICE BY NATIVE/VENDOR TOOLS OR APIs  SCREENSHOT EXTRACTION IS EASY IMPLEMENTED AND SOFTLY FOR THE RUN-DOWN BATTERY THAN PHOTO/VIDEO CAMERA DATA TYPES  UNKNOWN IS MISSED THROUGH IGNORANCE  SAVED MESSAGES/IMs  SOLID DB FILES REDUCE RAW ACQUISITION
  3. 3. NETWORK AND OTA ISOLATION TRADITION  GOAL:  PREVENTING DEVICE FROM ANY CHANGES INCL. MALWARE TRIGGERS  SOLUTION:  AIRPLANE MODE, FARADAY CAGE OR SIMILAR  SOME LIVE CASES PREVENT SYNC LAST CENTURY  COMPLEXITY FACTOR:  HANDY BLACKBERRY GUI (A COUPLE CLICKS)  OVERLADEN ANDROID GUI (VIA MENU  SETTINGS…)  ANDROID HOTKEYS DEPEND ON VENDOR
  4. 4. “PUSH” TECHNOLOGY DIFFERENCE BY IMPLEMENTATION (PROTOCOL): DIFFERENCE BY REALIZATION (USER EXPERIENCE):  BLACKBERRY SMARTPHONE – PROPR. PUSH + EXCHANGE  BLACKBERRY SMARTPHONE – TRUE PUSH IF ONLINE, QUICKLY RETRIEVE DATA IF WAS OFFLINE  BLACKBERRY TABLET – IMAP4, POP3 + EXCHANGE ACTIVESYNC  BLACKBERRY TABLET – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE  ANDROID – GOOGLE SYNC, IDLE, IMAP4, POP3 + EXCHANGE ACTIVESYNC  ANDROID – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NONINBOX/SENT FOLDER DATA IF WAS OFFLINE
  5. 5. PASSWORD PROTECTION AN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS  BLACKBERRY  ASCII PRINTABLE CHARACTERS – NOT ACCESSIBLE  CUSTOM CASES – WALLETS, DEVICE PASSWORD (ELCOMSOFT)  ANDROID  PATTERN LOCK – NEED ROOT ACCESS  PIN – NEED ROOT ACCESS  ASCII PRINTABLE CHARACTERS – NEED ROOT ACCESS
  6. 6. PASSWORD EXTRACTION AND BYPASSING DEAD FORENSICS SOLUTION  ELCOMSOFT SOLUTION FOR BLACKBERRY  BACKUP DATA, WALLET  DEVICE PASSWORD  PATTERN & PASSWORD LOCK VIA ROOT FILE ACCESS (ANDROID)  GESTURE.KEY, PC.KEY  TOUCH THE SCREEN TO PREVENT PASSWORD LOCKING LIVE FORENSICS SOLUTIONS  PREVENTION THE SCREEN LOCKING THROUGH THE APIs (ANDROID)  SCALED BUTTON PREVIEW VIA SCREENSHOT (ALMOST ALL/SETTINGS)  ASTERISKS HIDING DEALY (ALMOST ALL/SETTINGS)  DESKTOP SYNCHRONIZATION (BLACKBERRY)  FAKE WINDOW TO MISLEAD (ALL)
  7. 7. PASSWORD EXTRACTION AND BYPASSING
  8. 8. CLASSIC FORENSICS DEALING WITH EXPIRATION  GOAL – GATHERING LOGS, DUMPS, BACKUP, OTHER DATA  SOLUTION – SDK TOOLS OR SIMILAR  DATA:  LOGS INCL. Wi-Fi, DUMPS, EXE MODULES, SCREENSHOTS, DEVICE INFO (BLACKBERRY)  SPECIAL LOGGING MECHANISM INCL. EVENTS, CREDENTIALS, FAILURES (ANDROID)  BACKUP:  GRANULATED DATA + WALLET (BB SMARTPHONE)  APP DATA, MEDIA, SETTING (BB TABLET)  THIRD-PARTY SOLUTIONS DESPITE OF NATIVE BACKUP APIs (ANDROID) DEVICE & NETWORK LOG EXAMPLES             DEVICE INFORMATION PHYSICAL ADDRESS: E8:XX:XX:XX:XX:XX DEVICE OS: BLACKBERRY PLAYBOOK OS DEVICE PIN: 500XXXXX | OS VERSION: 2.0.1.668 IP ADDRESS: 192.168.1.31 | SUBNET MASK: 255.255.255.0 DEFAULT GATEWAY: 192.168.1.1 PRIMARY DNS: 192.168.1.1 | PROXY IP/PORT: WI-FI INFORMATION STATUS:CONNECTED | SECURITY TYPE:WPA2 PERS PROFILE NAME: XXXX | SSID: XXXX SIGNAL LEVEL: -41 DBM | TYPE: 802.11G/N CONNECTION DATA RATE: 65 MBPS
  9. 9. CLASSIC FORENSICS ANY DELAY LEAVE US FAR BEHIND  EXIF DATA  CAMERA MAKE  RIM/BLACKBERRY/ANDROID /HTC  CAMERA MODEL  DEVICE MODEL  OTHER EXIF DATA  EXPOSURE,  DIAPHRAGM OPENING,  FLASH, EXIF VERSION  GEO DATA  MEDIA FILE NAMES  IMG20120103-XXXX  GEO TAG AS CITY LIKE “MOSKVA”  VOICE NOTES  VN-20120319-XXXX.AMR / M4A WHERE “20120319” IS DATE WITH YYYY-MM-DD FORMATTING  VID-YYYYMMDD-XXXXXX.3GP / MP4
  10. 10. LIVE FORENSICS DEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARE  PRIVATE DATA - THROUGH THE API ONLY  BLACKBERRY CONTACT - EMAILS, CALL & RECENT HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.  ANDROID CONTACT - SQL DB PER VCARD, FB, TWITTER… COVERS DEAD CASES IN REAL-TIME  STORED IN SHARED FOLDERS INSTEAD SANDBOX (BLACKBERRY)  MESSAGE DATA STORED IN SQL DB INCL. MMS MEDIA ON “/DATA/DATA” PATH  /COM.ANDROID.PROVIDERS.TELEPHONY  MEDIA DATA - THROUGH API, SD-CARD  /COM.FACEBOOK/FB.DB  VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB…  CLIPBOARD  EXIF, FILENAME OFTEN INCLUDES EXIF & GEO  PASSWORD HAPPENS  MESSAGES AND IM CHATS - API, SD-CARD  WALLET DOES NOT PROTECT COPIED PASSWORD  IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)  GETCLIPBOARD(), GETDATA(), GETTEXT()  | SENDER ID | RECIPIENT ID | DATE | DATA
  11. 11. LIVE FORENSICS
  12. 12. CONCLUSION DEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT... LACK OF SIMULATION ENVIRONMENTS THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR EACH OTHER
  13. 13. THANK YOU YURY CHEMERKIN HAKIN9 MAGAZINE REPRESENTATIVE

×