SlideShare a Scribd company logo

Why cant all_data_be_the_same

Download as PPTX, PDF
S
Skyler Lewis

Talk from Kim Thomson, Python at the Point, July 19, 2018, talking about the mobile forensics world, data extraction software and Python's role in all of it.

Technology
1 of 41
Why Can’t all Data be the Same? Python in the Mobile-Forensics World Kim Thomson H-11 Digital Forensics kim@h11dfs.com
who am I? • Retired SIGINT Soldier • Nerd • I love all things wireless • My passion is extraction/recovery and decoding of phone/device data • I teach courses in mobile forensics, chipoff for mobile forensics, JTAG-ISP for mobile forensics, Python for mobile forensics, smartphone analysis, and wireless tracking, mapping, and analysis • I settled into mobile forensics because of the variety of areas within the field • kim@h11dfs.com
mobile forensics = The discovery, recovery, examination, analysis, and reporting of data from mobile devices, generally to aid in some sort of investigation. Mobile forensics involves: • Extracting • Parsing • Organizing • Correlating • Reporting
what’s the point? One of the persistent challenges of mobile forensics or mobile data recovery is getting the data in a reportable format. As no two phones are the same, decoding the data into something usable can be a problem. Nearly every phone will have some sort of unique data on it. Simply obtaining the data usually isn’t good enough. It has to be made presentable.
mobile fragmentation
mobile forensics challenges • Finding the data • Phone, mobile network, SIM, SD card, cloud? • Extracting the data • Security locks (PINs, passwords, patterns, etc.), port difficulties, USB debugging? • Decoding the data • Character encodings, file formats, database types, unknown/new apps? • Analyzing the data • What does it mean?
mobile forensics challenges - 2 • Many paths into digital forensics • Most are not technical • Python is scary
finding the data • Cloud • Many types of data simply aren’t found on the phone • Depending on the case, may or may not be trivial to obtain • SIM • Not used for much data these days apart from last Location Area Code (LAC) and account info • Can contain old, deleted data from previous phones • SD Card • Apart from the phone itself, probably the most important piece • Full of media and app data, backups, etc. • May contain data from previously-used phones
finding the data • Service Provider’s Network • Tower dumps, subscriber data, call-detail/data records (CDR), SMS, MMS, data usage, web sites accessed, etc. • CDRs continue to be a prime source of location and activity information; must be obtained with proper legal authority • Synced devices • Chrome, iCloud, Firefox, OneDrive, Dropbox, e-mail accounts, etc. • Can contain web histories, connected WiFi networks, calls, contacts, e- mail, synced files, etc.
finding the data • Phone • Calls, contacts, messaging, e-mails, media, location data, account info • Databases, logs, event histories, connection timelines • Connected cells, WiFi nets, application usage history, network usage statistics, synced Bluetooth devices… • Basically the user’s entire life may be found on the phone The importance of the phone data cannot be overestimated. In 2018, I can personally guarantee that we will never see ALL the info on a device. There’s simply too much of it.
phone extraction types Logical File System Physical Some data is not always recoverable Extraction Copy using Mobile Forensics is not necessarily a Bit Stream Clone/Image as with Computer Forensics What you see on the mobile device screen is what you get – Sometimes ? Operating System Files Unallocated Area Available Area for Digital Storage
logical extraction • Were originally based on AT commands, talking to the internal modem • Simple, what you see is what you get • Relatively Fast (unless they have loads of media on the phone) • Will recover no truly deleted data • May recover “deleted” database entries (calls, chats, contacts, etc.) • Excellent choice for a “quick look” • Can be stymied by different versions of an OS or blocked/disabled USB ports • For Android and others, usually requires the installation of an extraction client (APK) • Usually not possible on a locked phone (passcode/pattern/PIN)
file-system extraction • Usually “good enough” depending on the phone (Android) • Depending on the phone, may or may not be possible • Jailbroken iPhone, rooted Android • Other OS… maybe, maybe not • Analogous to copy-paste all files in the file system; no truly deleted items • Can be blocked by security protocols in Android and iOS • There are “lesser” file-system extractions • Android Debug Bridge (ADB) Backup • iTunes Backup • Partial file system based on MTP vulnerabilities in Android
physical extraction • This has always been the real goal: get ALL the data on the phone… all the 1s and 0s • Analogous to a physical image (dd) of a hard drive • Requires root permissions in Android; most of the time just a temp root • After iPhone 4 is impossible (improbable?) in iOS devices • Gives the examiner the possibly of recovering truly deleted data • Media • Deleted Files, not just DB entries • Getting a full physical extraction of a device has sometimes been rather difficult
automated-tool vendors • Cellebrite • UFED • Physical Analyzer • MicroSystemation • XRY • Oxygen • Magnet Forensics • Axiom Process • Axiom Examine
benefits of automated tools • Widely used • Well-funded and researched • Faster • Easier • Require less technical expertise • In most cases, you only need to follow the instructions
benefits of automated tools • Besides providing the extraction of data from the mobile device, these tools also do the decoding, or parsing of the data automagically • Analytical tools are also included • Reporting tools are also included • Customer support • Clicky buttons
problems with automated tools • When they don’t work, they don’t work • If a device isn’t supported, then you may not be able to find support at all for it • It may be possible, but sometimes it’s difficult to figure out which other method may work • They are, depending on your background and point of view, insanely expensive • Automated tools produce… and there is no nice way to put this… the script kiddies of the mobile-forensics world • They don’t exactly produce a “technically-advanced user” necessarily • They don’t (and can’t) decode ALL the data on a phone
biggest problem with automated tools “If we don’t find it, it’s not there…”
moving beyond automated tools • Carving for deleted records in whatever format they happen to be in • Parsing previously-unknown or unsupported apps for data (usually SQLite) • How many apps exist for iOS and Android??? • Log Parsing • Parsing binary files in burner phones (usually proprietary formats) • Writing scripts to find data in the binary dump of a phone whose file system can’t be reconstructed  • Correlating phone data with external sources (cell towers, wifi networks, other geolocation data)
questions to ask • Do I have all the data/evidence I need? • What else do I need? • In what format might it be stored? • How can I convert it? • Where can I put it? • In the automated tool’s project tree • CSV file? • Database? • External report? • IS IT WORTH THE TIME???
• Timestamp formats • GPS Epoch in BREW phones (feature phones) • Unix, seconds, milliseconds, microseconds, decimal, hex LE and BE… • NSDates • Mediatek • Straight hexadecimal • Flash memory storage characteristics • ENCRYPTION!! • File system • Individual app files • Different file types • SQLite databases • XML/JSON • Proprietary DBs • Straight Hex/Binary files • Plists/proprietary logs • Different Encodings • 7-bit GSM alphabet data encoding (cheap phones) • ASCII vs. UTF-16 vs. UTF-8 vs. LE vs. BE • Base64, Base32 • Reversed Nibbles • Straight Hex Integer phone data problems
phone data problems There’s nothing quite like an IP address represented in hex, changed to Little-Endian, converted to a signed decimal integer and stored as ASCII in a SQLite DB along with other connection attributes with a non- descript entry name to make you lose faith in humanity. Seriously…? 0xCA21F10A -903745270  0A F1 21 CA  10:241:33:202
user data • Calls • Contacts • Messaging • Location data • E-mails • Paired devices • WiFi networks • Cookies, web history, videos, music, recordings, images, cell towers, account data, visited web pages, bookmarks, notes, notifications, open apps, usage history, powering events, network statistics, a compromising picture you took then deleted, etc….
how do we see the data? • AccessData FTK Imager (free) • http://marketing.accessdata.com/ftkimager4.2.0 • 7-zip (for some dd images and phone dumps) • Autopsy and Sleuthkit (FOSS) • Medusa Pro or Octoplus Pro Software (about 160 bucks) • Cellebrite Physical Analyzer (paid) • Oxygen Detective (paid) • Magnet Axiom (paid)
Looking at the data – Cellebrite Physical Analyzer
Looking at the data – Autopsy
Looking at the data – FTK Imager
Looking at the data – Octoplus/Medusa
What about Python? • Case management, logs, moving files, blah, blah, blah • Extracting data from SQLite databases for unsupported applications • Parsing all the files of importance in “burner” phones • They tend to not be well supported since they are VERY proprietary • Phonebook, calls, SMS, device information, etc. • Carving through unallocated space to find deleted remnants of things • JSON, XML, logs, DB fragments... • Carving through the binary dump of a phone that doesn’t parse at all (KMN) • Standalone utilities for manual data decoding/searches/conversions/etc.
SQLite • Easy • Majority of apps in Android and iOS use SQLite • Cellebrite and Magnet (Axiom) both have their own wrapper on sqlite3 to only allow reads and no writes or “queries”. Every line of a table is read as a dictionary. Dictionary keys are the column names. • Whether I write something for Cellebrite or external to Cellebrite depends on two things: • Does Cellebrite have a category for the type of data? • Who and what am I writing it for?
SQLite in Cellebrite DB: macvendors.db Table: macvendors Columns: ‘mac’ and ‘vendor’ • Cellebrite’s SQLiteParser wants to read every line by default. • For most types of apps we want every line. • Calls • Contacts • Chats • Messages • Cell Towers
SQLite Strengths • Standardized, used everywhere • Analysis is relatively simple • Tools abound to read and recover data from SQLite DBs • Once you’ve written one parser for a messaging app, you can write another with small modifications • SQLite in Python is easy
BREW phone (every crappy flip phone) • Proprietary file systems, app structures, databases, etc. • Not well supported by most mobile- forensic tools • Every model is different • Very common to get a full physical extraction but have no parsed data • You have to either do everything manually or write some stuff to parse it into a presentable format
Carving • It’s really just a regex/grep • Certain data types have certain headers/signatures/footers on the data • xFF xD8 xFF xE0 is one type of JPEG • Can be done over a whole binary image or just the unallocated areas (possibly deleted items) • Depending on what you’re looking for you want, you may use re.search(), re.findall(), or re.finditer() • Data can then be exported to whatever file format you want or added to a mobile-forensic tool’s data tree
Carving
Standalone Utilities Mostly using QT, because everything else is horrible
Standalone Utilities Wireless analysis
modules/libraries I use • os, sys, json, struct, binascii, base64, hashlib, argparse, time, datetime, re, etc… • geopy – geolocation/geocoding, mapping, openstreetmaps, etc. • simplekml – create KML files • pygle – work with wigle.net • requests, urllib2, tweepy – for grabbing thingies off the interwebz • subprocess – running other programs, opening Google Earth instances, etc. • sqlite3, csv • pandas, matplotlib – chewing on data and plotting
online APIs I use • wigle – wireless mapping, wardrving • macvendors – OUI vs vendor/manufacturer • Google Geolocation and Geocoding • OpenStreetMaps, Nominatim from geopy • opencellid.org (db download available) • Mozilla Location Services (db download available)
Summary • There’s lots of data on phones in our futuristic world • No product will be able to decode/parse all of it • Python is cool and several mobile-forensics tools include a way to extend functionality with Python • We can use Python to decode/parse custom data types and unsupported apps • @ArdJect on Twitter • kim@h11dfs.com for official things

Recommended

Lec1chap1f04
Lec1chap1f04Lec1chap1f04
Lec1chap1f04screaminc
 
Uc14 chap06
Uc14 chap06Uc14 chap06
Uc14 chap06Rashid Yahye
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsEC-Council
 
Uc14 chap04
Uc14 chap04Uc14 chap04
Uc14 chap04Rashid Yahye
 
fundamentals of information technology
fundamentals of information technologyfundamentals of information technology
fundamentals of information technologySoundaryaB2
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder OverviewJADsoftware1
 
Uc14 chap01
Uc14 chap01Uc14 chap01
Uc14 chap01Rashid Yahye
 

Recommended

Lec1chap1f04
Lec1chap1f04Lec1chap1f04
Lec1chap1f04screaminc
 
Uc14 chap06
Uc14 chap06Uc14 chap06
Uc14 chap06Rashid Yahye
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsEC-Council
 
Uc14 chap04
Uc14 chap04Uc14 chap04
Uc14 chap04Rashid Yahye
 
fundamentals of information technology
fundamentals of information technologyfundamentals of information technology
fundamentals of information technologySoundaryaB2
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder OverviewJADsoftware1
 
Uc14 chap01
Uc14 chap01Uc14 chap01
Uc14 chap01Rashid Yahye
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformJason Letourneau
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - StorageUnderstanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storageyaminohime
 
Computer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorComputer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorStud Mentor
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Uc14 chap05
Uc14 chap05Uc14 chap05
Uc14 chap05Rashid Yahye
 
Uc14 chap02
Uc14 chap02Uc14 chap02
Uc14 chap02Rashid Yahye
 
Forensics intro
Forensics introForensics intro
Forensics introtest tt
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideISSA LA
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologySam Bowne
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudIOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudRamin Firoozye
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensicsKabul Education University
 

More Related Content

What's hot

Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformJason Letourneau
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - StorageUnderstanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storageyaminohime
 
Computer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorComputer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorStud Mentor
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Forensics intro
Forensics introForensics intro
Forensics introtest tt
 

What's hot (10)

Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - StorageUnderstanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
 
Computer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorComputer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud Mentor
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Uc14 chap05
Uc14 chap05Uc14 chap05
Uc14 chap05
 
Uc14 chap02
Uc14 chap02Uc14 chap02
Uc14 chap02
 
Forensics intro
Forensics introForensics intro
Forensics intro
 

Similar to Why cant all_data_be_the_same

Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideISSA LA
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologySam Bowne
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudIOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudRamin Firoozye
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 

Similar to Why cant all_data_be_the_same (20)

Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudIOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
Exo cortex
Exo cortexExo cortex
Exo cortex
 

Recently uploaded

New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Why cant all_data_be_the_same

  • 1. Why Can’t all Data be the Same? Python in the Mobile-Forensics World Kim Thomson H-11 Digital Forensics kim@h11dfs.com
  • 2. who am I? • Retired SIGINT Soldier • Nerd • I love all things wireless • My passion is extraction/recovery and decoding of phone/device data • I teach courses in mobile forensics, chipoff for mobile forensics, JTAG-ISP for mobile forensics, Python for mobile forensics, smartphone analysis, and wireless tracking, mapping, and analysis • I settled into mobile forensics because of the variety of areas within the field • kim@h11dfs.com
  • 3. mobile forensics = The discovery, recovery, examination, analysis, and reporting of data from mobile devices, generally to aid in some sort of investigation. Mobile forensics involves: • Extracting • Parsing • Organizing • Correlating • Reporting
  • 4. what’s the point? One of the persistent challenges of mobile forensics or mobile data recovery is getting the data in a reportable format. As no two phones are the same, decoding the data into something usable can be a problem. Nearly every phone will have some sort of unique data on it. Simply obtaining the data usually isn’t good enough. It has to be made presentable.
  • 6. mobile forensics challenges • Finding the data • Phone, mobile network, SIM, SD card, cloud? • Extracting the data • Security locks (PINs, passwords, patterns, etc.), port difficulties, USB debugging? • Decoding the data • Character encodings, file formats, database types, unknown/new apps? • Analyzing the data • What does it mean?
  • 7. mobile forensics challenges - 2 • Many paths into digital forensics • Most are not technical • Python is scary
  • 8. finding the data • Cloud • Many types of data simply aren’t found on the phone • Depending on the case, may or may not be trivial to obtain • SIM • Not used for much data these days apart from last Location Area Code (LAC) and account info • Can contain old, deleted data from previous phones • SD Card • Apart from the phone itself, probably the most important piece • Full of media and app data, backups, etc. • May contain data from previously-used phones
  • 9. finding the data • Service Provider’s Network • Tower dumps, subscriber data, call-detail/data records (CDR), SMS, MMS, data usage, web sites accessed, etc. • CDRs continue to be a prime source of location and activity information; must be obtained with proper legal authority • Synced devices • Chrome, iCloud, Firefox, OneDrive, Dropbox, e-mail accounts, etc. • Can contain web histories, connected WiFi networks, calls, contacts, e- mail, synced files, etc.
  • 10. finding the data • Phone • Calls, contacts, messaging, e-mails, media, location data, account info • Databases, logs, event histories, connection timelines • Connected cells, WiFi nets, application usage history, network usage statistics, synced Bluetooth devices… • Basically the user’s entire life may be found on the phone The importance of the phone data cannot be overestimated. In 2018, I can personally guarantee that we will never see ALL the info on a device. There’s simply too much of it.
  • 11. phone extraction types Logical File System Physical Some data is not always recoverable Extraction Copy using Mobile Forensics is not necessarily a Bit Stream Clone/Image as with Computer Forensics What you see on the mobile device screen is what you get – Sometimes ? Operating System Files Unallocated Area Available Area for Digital Storage
  • 12. logical extraction • Were originally based on AT commands, talking to the internal modem • Simple, what you see is what you get • Relatively Fast (unless they have loads of media on the phone) • Will recover no truly deleted data • May recover “deleted” database entries (calls, chats, contacts, etc.) • Excellent choice for a “quick look” • Can be stymied by different versions of an OS or blocked/disabled USB ports • For Android and others, usually requires the installation of an extraction client (APK) • Usually not possible on a locked phone (passcode/pattern/PIN)
  • 13. file-system extraction • Usually “good enough” depending on the phone (Android) • Depending on the phone, may or may not be possible • Jailbroken iPhone, rooted Android • Other OS… maybe, maybe not • Analogous to copy-paste all files in the file system; no truly deleted items • Can be blocked by security protocols in Android and iOS • There are “lesser” file-system extractions • Android Debug Bridge (ADB) Backup • iTunes Backup • Partial file system based on MTP vulnerabilities in Android
  • 14. physical extraction • This has always been the real goal: get ALL the data on the phone… all the 1s and 0s • Analogous to a physical image (dd) of a hard drive • Requires root permissions in Android; most of the time just a temp root • After iPhone 4 is impossible (improbable?) in iOS devices • Gives the examiner the possibly of recovering truly deleted data • Media • Deleted Files, not just DB entries • Getting a full physical extraction of a device has sometimes been rather difficult
  • 15. automated-tool vendors • Cellebrite • UFED • Physical Analyzer • MicroSystemation • XRY • Oxygen • Magnet Forensics • Axiom Process • Axiom Examine
  • 16. benefits of automated tools • Widely used • Well-funded and researched • Faster • Easier • Require less technical expertise • In most cases, you only need to follow the instructions
  • 17. benefits of automated tools • Besides providing the extraction of data from the mobile device, these tools also do the decoding, or parsing of the data automagically • Analytical tools are also included • Reporting tools are also included • Customer support • Clicky buttons
  • 18. problems with automated tools • When they don’t work, they don’t work • If a device isn’t supported, then you may not be able to find support at all for it • It may be possible, but sometimes it’s difficult to figure out which other method may work • They are, depending on your background and point of view, insanely expensive • Automated tools produce… and there is no nice way to put this… the script kiddies of the mobile-forensics world • They don’t exactly produce a “technically-advanced user” necessarily • They don’t (and can’t) decode ALL the data on a phone
  • 19. biggest problem with automated tools “If we don’t find it, it’s not there…”
  • 20. moving beyond automated tools • Carving for deleted records in whatever format they happen to be in • Parsing previously-unknown or unsupported apps for data (usually SQLite) • How many apps exist for iOS and Android??? • Log Parsing • Parsing binary files in burner phones (usually proprietary formats) • Writing scripts to find data in the binary dump of a phone whose file system can’t be reconstructed  • Correlating phone data with external sources (cell towers, wifi networks, other geolocation data)
  • 21. questions to ask • Do I have all the data/evidence I need? • What else do I need? • In what format might it be stored? • How can I convert it? • Where can I put it? • In the automated tool’s project tree • CSV file? • Database? • External report? • IS IT WORTH THE TIME???
  • 22. • Timestamp formats • GPS Epoch in BREW phones (feature phones) • Unix, seconds, milliseconds, microseconds, decimal, hex LE and BE… • NSDates • Mediatek • Straight hexadecimal • Flash memory storage characteristics • ENCRYPTION!! • File system • Individual app files • Different file types • SQLite databases • XML/JSON • Proprietary DBs • Straight Hex/Binary files • Plists/proprietary logs • Different Encodings • 7-bit GSM alphabet data encoding (cheap phones) • ASCII vs. UTF-16 vs. UTF-8 vs. LE vs. BE • Base64, Base32 • Reversed Nibbles • Straight Hex Integer phone data problems
  • 23. phone data problems There’s nothing quite like an IP address represented in hex, changed to Little-Endian, converted to a signed decimal integer and stored as ASCII in a SQLite DB along with other connection attributes with a non- descript entry name to make you lose faith in humanity. Seriously…? 0xCA21F10A -903745270  0A F1 21 CA  10:241:33:202
  • 24. user data • Calls • Contacts • Messaging • Location data • E-mails • Paired devices • WiFi networks • Cookies, web history, videos, music, recordings, images, cell towers, account data, visited web pages, bookmarks, notes, notifications, open apps, usage history, powering events, network statistics, a compromising picture you took then deleted, etc….
  • 25. how do we see the data? • AccessData FTK Imager (free) • http://marketing.accessdata.com/ftkimager4.2.0 • 7-zip (for some dd images and phone dumps) • Autopsy and Sleuthkit (FOSS) • Medusa Pro or Octoplus Pro Software (about 160 bucks) • Cellebrite Physical Analyzer (paid) • Oxygen Detective (paid) • Magnet Axiom (paid)
  • 26. Looking at the data – Cellebrite Physical Analyzer
  • 27. Looking at the data – Autopsy
  • 28. Looking at the data – FTK Imager
  • 29. Looking at the data – Octoplus/Medusa
  • 30. What about Python? • Case management, logs, moving files, blah, blah, blah • Extracting data from SQLite databases for unsupported applications • Parsing all the files of importance in “burner” phones • They tend to not be well supported since they are VERY proprietary • Phonebook, calls, SMS, device information, etc. • Carving through unallocated space to find deleted remnants of things • JSON, XML, logs, DB fragments... • Carving through the binary dump of a phone that doesn’t parse at all (KMN) • Standalone utilities for manual data decoding/searches/conversions/etc.
  • 31. SQLite • Easy • Majority of apps in Android and iOS use SQLite • Cellebrite and Magnet (Axiom) both have their own wrapper on sqlite3 to only allow reads and no writes or “queries”. Every line of a table is read as a dictionary. Dictionary keys are the column names. • Whether I write something for Cellebrite or external to Cellebrite depends on two things: • Does Cellebrite have a category for the type of data? • Who and what am I writing it for?
  • 32. SQLite in Cellebrite DB: macvendors.db Table: macvendors Columns: ‘mac’ and ‘vendor’ • Cellebrite’s SQLiteParser wants to read every line by default. • For most types of apps we want every line. • Calls • Contacts • Chats • Messages • Cell Towers
  • 33. SQLite Strengths • Standardized, used everywhere • Analysis is relatively simple • Tools abound to read and recover data from SQLite DBs • Once you’ve written one parser for a messaging app, you can write another with small modifications • SQLite in Python is easy
  • 34. BREW phone (every crappy flip phone) • Proprietary file systems, app structures, databases, etc. • Not well supported by most mobile- forensic tools • Every model is different • Very common to get a full physical extraction but have no parsed data • You have to either do everything manually or write some stuff to parse it into a presentable format
  • 35. Carving • It’s really just a regex/grep • Certain data types have certain headers/signatures/footers on the data • xFF xD8 xFF xE0 is one type of JPEG • Can be done over a whole binary image or just the unallocated areas (possibly deleted items) • Depending on what you’re looking for you want, you may use re.search(), re.findall(), or re.finditer() • Data can then be exported to whatever file format you want or added to a mobile-forensic tool’s data tree
  • 37. Standalone Utilities Mostly using QT, because everything else is horrible
  • 39. modules/libraries I use • os, sys, json, struct, binascii, base64, hashlib, argparse, time, datetime, re, etc… • geopy – geolocation/geocoding, mapping, openstreetmaps, etc. • simplekml – create KML files • pygle – work with wigle.net • requests, urllib2, tweepy – for grabbing thingies off the interwebz • subprocess – running other programs, opening Google Earth instances, etc. • sqlite3, csv • pandas, matplotlib – chewing on data and plotting
  • 40. online APIs I use • wigle – wireless mapping, wardrving • macvendors – OUI vs vendor/manufacturer • Google Geolocation and Geocoding • OpenStreetMaps, Nominatim from geopy • opencellid.org (db download available) • Mozilla Location Services (db download available)
  • 41. Summary • There’s lots of data on phones in our futuristic world • No product will be able to decode/parse all of it • Python is cool and several mobile-forensics tools include a way to extend functionality with Python • We can use Python to decode/parse custom data types and unsupported apps • @ArdJect on Twitter • kim@h11dfs.com for official things