Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android Forensics with Free/Open Source Tools - DroidconIT_2016

5,116 views

Published on

Android Forensics with Free/Open Source Tools - DroidconIT_2016 7-8 Turin

Published in: Technology
  • Be the first to comment

Android Forensics with Free/Open Source Tools - DroidconIT_2016

  1. 1. • Graduated at University of Camerino • Reviewer and writer of articles for Hakin9,eForensics Magazine and PenTest Magazine • Writer of articles for Hacker Journal • eCPPT certified – Professional PenetrationTester • Member of IISFA (International Information Systems Forensics Association) • Member of ONIF (Osservatorio Nazionale Informatica Forense) • Security Expert , System Analyst andTrainer forTiger Security Srl $WHOAMI
  2. 2. • “Digital forensics is a branch of forensics science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime” • Mobile device forensics is a branch of digital forensics which deals with extracting, recovering and analyzing digital evidence or data from a mobile device under forensically sound conditions. What is Digital Forensics?
  3. 3. Investigation Seizure and Isolation Acquisition Examination and Analysis Reporting Phases in Mobile Forensics
  4. 4. Very important questions • Is DeviceTurn on? • Is DeviceTurn off? • If isTurn on, is it protect with passcode? • If isTurn on, is it unlocked? • …
  5. 5. Prevent alteration of data Flight Mode Faraday Bad Eject Sim Card
  6. 6. • You can do shutdown though smartphone is locked! • Is there a PIN after reboot? • Total loss of data loaded into RAM!! Pay attention at shutdown!!
  7. 7. • Mainly we have two type of acquisition Acquisition
  8. 8. • Logical extraction is analogous to copying and pasting a folder in order to extract data from a system • If any hidden or deleted files are present in the folder beind copied, they will not be in the pasted version of the folder Logical Acquisition
  9. 9. • Deleted data can be recovered from logical extraction only if they are stored in a SQLite database • The data can be recovered is : 1. Contact 2. Call logs 3. Sms/mms 4. Application data 5. System logs and information Logical Acquisition
  10. 10. Logical Acquisition – File System directory
  11. 11. Logical Acquisition – File System directory
  12. 12. Hey man, I have lock screen! • Hey bro…what kind of lock screen have you?!?
  13. 13. Hey man, I have lock screen! • Break the Passcode!! 😎
  14. 14. Hey man, I have lock screen! • Break the Passcode!! 😎 We can delete this file!!
  15. 15. Hey man, I have lock screen! • Break the Passcode!! 😎 • The PIN key is located in /data/system/password.key • Not easy to decrypt, it depends on the strength of the password !! We can delete this file!!
  16. 16. Logical Acquisition with ADB • This tool is awesome in a lot of case • For example, in a small investigation, with the simple command pull we can , obviously , pull single file or entire directories directly from the device to examiner computer
  17. 17. Logical Acquisition with ADB
  18. 18. Logical Acquisition with ADB
  19. 19. Logical Acquisition with ADB • Use ADB is possible when we have USB Debug active • If we haven’t it, WTF doing?!?!?
  20. 20. Logical Acquisition with ADB
  21. 21. Logical Acquisition with ADB • When device is in bootloader mode, the fastboot protocol could be used! • Is bootloader protected? • YES = S-ON ; active protection, inhibited protocol • NO = S-OFF ; inhibited protection , active protocol • Exploit to get S-OFF
  22. 22. Physical Extraction • Physical extraction is an exact bit-for-bit image of electronic media • Whit this extraction we can extract everything! • We could perform a physical extraction simply with dd linux command
  23. 23. Physical Extraction
  24. 24. Free/Open tools
  25. 25. Free/Open tools http://www.caine-live.nethttp://www.deftlinux.net/it/
  26. 26. Free/Open tools
  27. 27. Demo!
  28. 28. Contact me @samaritan_o https://www.facebook.com/dikkemberg https://it.linkedin.com/in/alessandrodicarlo92 https://keybase.io/samaritan alessandro.dicarlo@yahoo.it alessandro.dicarlo@tigersecurity.pro www.alessandrodicarlo.com (Under Manteinance Online on the 11-04-2016)
  29. 29. Thanks you!

×