Your SlideShare is downloading. ×
0
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Mobile security, forensics & malwareanalysis with Santoku Linux
*© Copyright 2013 viaForensics, LLC. Proprietary Information.IN MEMORY OFAlois Charles Hoog, Sr.(1920 - 2013)HusbandFather...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.PRESENTERAndrew Hoog (CEO/Co-Founder)Andrew is a published au...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.VIAFORENSICS OVERVIEWviaForensics is a mobile security compan...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.RECENT CONFERENCES
*© Copyright 2013 viaForensics, LLC. Proprietary Information.SANTOKU - WHY?Desktop PCPortable PCTabletSmartphone# Units Sh...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.SANTOKU - WHAT?
*© Copyright 2013 viaForensics, LLC. Proprietary Information.SANTOKU - HOW?—Install Lubuntu 12.04 (precise) x86_64—Santoku...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.You should get (after reboot)
*© Copyright 2013 viaForensics, LLC. Proprietary Information.A Different Kind of Hacking
*© Copyright 2013 viaForensics, LLC. Proprietary Information.The History of FootbagThe concept behind footbag – intercepti...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.MOBILEFORENSICS
*© Copyright 2013 viaForensics, LLC. Proprietary Information.FORENSIC ACQUISITION TYPESLogical File system PhysicalDescrip...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.iOS Logical—Connect device (enter PIN if needed)—ideviceback2...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.iOS Logical
*© Copyright 2013 viaForensics, LLC. Proprietary Information.iPhone Backup Analyzer
*© Copyright 2013 viaForensics, LLC. Proprietary Information.The History of FootbagWhile the co-operative kicking sport ha...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Android Logical—AFLogical OSEhttps://github.com/viaforensics/...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.AFLogical OSE
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Install, run, extract
*© Copyright 2013 viaForensics, LLC. Proprietary Information.The Benefits of Hacking to HackersWhat do most hackers do whi...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.The Benefits of Hacking to HackersHacky Sack:Is Cooperative {...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.MOBILESECURITY
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Category # apps reviewedFinance 10Lifestyle 11Productivity 6T...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.APP TESTING RESULTS% With Issues100%~80%~30%~50%~15%Stored Us...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.The "Rules" of Hacking1. Cannot serve to self2. Cannot say, "...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO—Business and personal task management appiOS and Andro...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Forensics—Locate Any.DO app directory<path-...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Forensics
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Memory—SSH into iPhoneiproxy ; ssh—Find app...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Memory
*© Copyright 2013 viaForensics, LLC. Proprietary Information.The Kicks and Tricks
*© Copyright 2013 viaForensics, LLC. Proprietary Information.MOBILEMALWAREANALYSIS
*© Copyright 2013 viaForensics, LLC. Proprietary Information.Bad News—Android Malware, masquerades as an innocent advertis...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.apktool—apktool is a tool for reverse engineering Android apk...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.apktool -> smali—We can grep for known sensible method calls ...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.apktool -> smali—We can manually analyzethe disassembled smal...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.BadNews Malware Sample -> Dex2Jar -> JD-GUIContagio MiniDumpM...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.A LITTLE HELP, PLEASE.—HOWTOs—New/existing tool development—....
*© Copyright 2013 viaForensics, LLC. Proprietary Information.https://santoku-linux.com@SantokuLinux@viaForensicsDONT PANIC
Upcoming SlideShare
Loading in...5
×

Via forensics thotcon-2013-mobile-security-with-santoku-linux

924

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
924
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
37
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Via forensics thotcon-2013-mobile-security-with-santoku-linux"

  1. 1. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Mobile security, forensics & malwareanalysis with Santoku Linux
  2. 2. *© Copyright 2013 viaForensics, LLC. Proprietary Information.IN MEMORY OFAlois Charles Hoog, Sr.(1920 - 2013)HusbandFather of 5Grandfather of 12Great Grandfather of 9United States Army Air Corps (Retired)And a true Master Craftsmanthat any Geekwould be proud to call GrandpaWe will miss you dearly.
  3. 3. *© Copyright 2013 viaForensics, LLC. Proprietary Information.PRESENTERAndrew Hoog (CEO/Co-Founder)Andrew is a published author, computer scientist, and mobileforensic/security researcher. He has several patents pending and doesfrequent presentations/briefings.AdditionallyHe participated in many hack(y sack) circles in college instead of classes
  4. 4. *© Copyright 2013 viaForensics, LLC. Proprietary Information.VIAFORENSICS OVERVIEWviaForensics is a mobile security companyfounded in 2009.Bootstrapped with ~40 employees and a10 person dedicated mobile security R&D teamSome of our f/oss:YAFFS2 in TSKAFLogical OSESantoku Linux...
  5. 5. *© Copyright 2013 viaForensics, LLC. Proprietary Information.RECENT CONFERENCES
  6. 6. *© Copyright 2013 viaForensics, LLC. Proprietary Information.SANTOKU - WHY?Desktop PCPortable PCTabletSmartphone# Units Shipped(millions)2012Total: 1,201.12017 (Projected)Total: 2,250.316001200700200
  7. 7. *© Copyright 2013 viaForensics, LLC. Proprietary Information.SANTOKU - WHAT?
  8. 8. *© Copyright 2013 viaForensics, LLC. Proprietary Information.SANTOKU - HOW?—Install Lubuntu 12.04 (precise) x86_64—Santoku-ize it
  9. 9. *© Copyright 2013 viaForensics, LLC. Proprietary Information.You should get (after reboot)
  10. 10. *© Copyright 2013 viaForensics, LLC. Proprietary Information.A Different Kind of Hacking
  11. 11. *© Copyright 2013 viaForensics, LLC. Proprietary Information.The History of FootbagThe concept behind footbag – intercepting anobject in flight and keeping it airborne by using allparts of the body except the hands and arms isnot a new idea.Rather, as surprising as it may seem, the roots ofour modern-day kicking game are to be found inancient Eastern cultures.Shown here are people playing Sepak Takraw inthe streets of Malaysia.
  12. 12. *© Copyright 2013 viaForensics, LLC. Proprietary Information.MOBILEFORENSICS
  13. 13. *© Copyright 2013 viaForensics, LLC. Proprietary Information.FORENSIC ACQUISITION TYPESLogical File system PhysicalDescriptionRead device data via backup, API or othercontrolled access to dataUse casesFastData generally well structuredChallengesOften very limited access to dataUsually requires unlocked passcodeDescriptionCopy of files of file systemUse casesMore data than logicalRe-creating encrypted file systemChallengesRequires additional access to deviceMany file system files not responsive oncasesDescriptionBit-by-bit copy of physical driveUse casesMost forensically sound techniqueIncreases chance of deleted datarecoveryChallengesCannot pull hard drive on mobile devicesFTL may not provide bad blocks
  14. 14. *© Copyright 2013 viaForensics, LLC. Proprietary Information.iOS Logical—Connect device (enter PIN if needed)—ideviceback2 backup <backup dir>—ideviceback2 unback <backup dir>—View backup|unpacked backup
  15. 15. *© Copyright 2013 viaForensics, LLC. Proprietary Information.iOS Logical
  16. 16. *© Copyright 2013 viaForensics, LLC. Proprietary Information.iPhone Backup Analyzer
  17. 17. *© Copyright 2013 viaForensics, LLC. Proprietary Information.The History of FootbagWhile the co-operative kicking sport has ancient origins from China, Thailand,Native America and nearly every country. Hacky Sack or Footbag, as we knowit today, is a modern American sport invented in 1972, by John Stalberger andMike Marshall of Oregon City, Oregon.Marshall had created a hand-made bean bag, that he was kicking around.Stalberger was recovering from knee surgery and was looking for a fun way toexercise his knees.Together, they called the new game "Hackin the Sack." The two decided tocollaborate and market their new game under the trademark of "Hacky Sack®".Mike Marshall died of a heart attack in 1975, at the age of twenty-eight. JohnStalberger continued with the "Hacky Sack" cause and formed the NationalHacky Sack Association. He later sold the rights for the Hacky Sack® Footbagto Kransco (operating under the Wham-O label), which also manufactured theFrisbee flying disc.
  18. 18. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Android Logical—AFLogical OSEhttps://github.com/viaforensics/android-forensics—Reads Content Providers—Push to phone, run, store on SD Card—Pull CSVs to Santoku for review
  19. 19. *© Copyright 2013 viaForensics, LLC. Proprietary Information.AFLogical OSE
  20. 20. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Install, run, extract
  21. 21. *© Copyright 2013 viaForensics, LLC. Proprietary Information.The Benefits of Hacking to HackersWhat do most hackers do while theyrehacking?They sit!You dont need a Ph.D in physiology orbiomechanics to know that spending 8-16 hoursin a chair is bad for you.
  22. 22. *© Copyright 2013 viaForensics, LLC. Proprietary Information.The Benefits of Hacking to HackersHacky Sack:Is Cooperative {much more fun in groups}Is Legit Exercise {it will get your blood flowing}Improves overall coordinationCan be played almost anywhereRequires virtually no equipment other than sack
  23. 23. *© Copyright 2013 viaForensics, LLC. Proprietary Information.MOBILESECURITY
  24. 24. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
  25. 25. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Category # apps reviewedFinance 10Lifestyle 11Productivity 6Travel 5Social Networking 6Security 6Other 6APP SELECTIONApps were selected based on popularity, number ofdownloads, or potential sensitivity of dataApproximately 50 apps have been reviewedand organized into categories
  26. 26. *© Copyright 2013 viaForensics, LLC. Proprietary Information.APP TESTING RESULTS% With Issues100%~80%~30%~50%~15%Stored UsernameStored PasswordMedium or High RiskFailed MITMStoredUsernameStoredPasswordOtherRisksFailedMiTM
  27. 27. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
  28. 28. *© Copyright 2013 viaForensics, LLC. Proprietary Information.The "Rules" of Hacking1. Cannot serve to self2. Cannot say, "Sorry"3. Cannot use handsA Hack is one complete timearound circle
  29. 29. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO—Business and personal task management appiOS and Android—Millions of users—Many vulnerabilities, no response from company—https://viaforensics.com/mobile-security/security-vulnerabilities-anydo-android.html
  30. 30. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Forensics—Locate Any.DO app directory<path-to-backup>/var/mobile/Applications/com.anydo.AnyDO—Examine binary plist file (Library/Preferences)file com.anydo.AnyDO.plist -> Apple binary property list—Convert binary plistplutil -i com.anydo.AnyDO.plist -o com.anydo.AnyDO.plist.xml—vi com.anydo.AnyDO.plist.xml
  31. 31. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Forensics
  32. 32. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Memory—SSH into iPhoneiproxy ; ssh—Find app PIDps -ef | grep <app-name>—Dump RAM using gdbScript to extract RAM—Extract and analyzescp ; grep
  33. 33. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Any.DO Analysis - Memory
  34. 34. *© Copyright 2013 viaForensics, LLC. Proprietary Information.The Kicks and Tricks
  35. 35. *© Copyright 2013 viaForensics, LLC. Proprietary Information.MOBILEMALWAREANALYSIS
  36. 36. *© Copyright 2013 viaForensics, LLC. Proprietary Information.Bad News—Android Malware, masquerades as an innocent advertising network—Packaged in many legitimate apps, usually targeting the Russian market—Has ability to download additional apps, and prompts the user to install them, posingas "Critical Updates". Uses this mechanism to spread known malware, typicallyPremium Rate SMS fraud.—For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/
  37. 37. *© Copyright 2013 viaForensics, LLC. Proprietary Information.apktool—apktool is a tool for reverse engineering Android apk, it disassembles the code to .smali files, decoding also theresources contained into the apk.—It can also repackage the applications after you have modified them.—We can run it on a Badnews sample:—$ apktool d ru.blogspot.playsib.savageknife.apk savage_knife_apktool/I: Baksmaling...I: Loading resource table...I: Loaded.I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: /home/santoku/apktool/framework/1.apkI: Loaded.I: Regular manifest package...I: Decoding file-resources...I: Decoding values */* XMLs...I: Done.I: Copying assets and libs…Source: https://code.google.com/p/android-apktool/
  38. 38. *© Copyright 2013 viaForensics, LLC. Proprietary Information.apktool -> smali—We can grep for known sensible method calls and strings—$ grep -R getDeviceId ../smali/com/mobidisplay/advertsv1/AdvService.smali: invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;—$ grep -R BOOT_COMPLETED ../AndroidManifest.xml: <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />./AndroidManifest.xml: <action android:name="android.intent.action.BOOT_COMPLETED" />./smali/com/mobidisplay/advertsv1/BootReceiver.smali: const-string v2, "android.intent.action.BOOT_COMPLETED"
  39. 39. *© Copyright 2013 viaForensics, LLC. Proprietary Information.apktool -> smali—We can manually analyzethe disassembled smalicode provided by apktool.—For example here we see abroadcast receiver that willlisten forBOOT_COMPLETEDintents and react to themstarting a service in theapplication.
  40. 40. *© Copyright 2013 viaForensics, LLC. Proprietary Information.BadNews Malware Sample -> Dex2Jar -> JD-GUIContagio MiniDumpMalware Repositorycontagiominidump.blogspot.com
  41. 41. *© Copyright 2013 viaForensics, LLC. Proprietary Information.A LITTLE HELP, PLEASE.—HOWTOs—New/existing tool development—.deb package maintenance—Forums, spreading the word
  42. 42. *© Copyright 2013 viaForensics, LLC. Proprietary Information.https://santoku-linux.com@SantokuLinux@viaForensicsDONT PANIC
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×