Tisa mobile forensic

1,511 views

Published on

IOS Forensic

Published in: Technology
  • Be the first to comment

Tisa mobile forensic

  1. 1. Mobile/Smart Phone ForensicWatcharaphon WongaphaiSenior Information Security InstructorGIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNAPrathan PhongthiproekSection Manager, Senior Information Security ConsultantGIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-FACIS Professional Center
  2. 2. Outline1)  Introduction to Mobile Forensic!2)  Forensic Analysis of iphone! -  JailBroken! -  iTune Backup files!
  3. 3. Forensic Soundness •  What did it mean for disk forensics?! •  Does it mean the same thing?! •  Mobile devices are volatile, by nature! –  Real time clock changing in memory all the time! –  Acquiring SMS messages may change their status to “Read”! –  Some tools run code on the device itself!! •  Our goal is to change as little as possible! –  Perhaps disable automatic sync when using Blackberry Desktop Manager, and disable conversion to local time in ABC Amber Converter!
  4. 4. Evidence Take-In and Chain of Custody•  Document the scene! –  Handle with care, and gloves!! –  For the Chain of Custody form, find the serial number! –  Don’t forget MicroSD cards!! –  Photograph the device where it is found! –  Document what is showing on the screen, if anything! –  Power concerns! –  Take cables and documentation!
  5. 5. Blocking Network Connectivity •  Disable the radio! –  How can you be sure it’s disabled?! •  Faraday isolation! –  Not all products are created equal!!! –  Usually causes the battery to be depleted more quickly! •  Use a “safe” SIM card! •  Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity! •  Exercise: Disable network connectivity on your own phone.!
  6. 6. !•  What! –  Phone call database! –  E-mail and memos! –  SMS/MMS! –  Internet and LAN access! –  Visited URLs and saved pages!•  Where! –  Location information!
  7. 7. !•  Who! –  Owner details and user accounts! –  Contacts and cohorts! –  Personalizations (wallpaper, ringtones)!•  When! –  Calendar items! –  File system metadata! –  Timestamps may not be immediately visible!
  8. 8. Messaging •  Short message service (SMS)! •  Multimedia message service (MMS)! •  Instant messaging! •  Blackberry! –  PIN messages! –  Blackberry IM!
  9. 9. Internet Activities •  Downloaded images and web pages! •  Email! •  Visited URLs! •  History log! •  Browser cache!
  10. 10. Location Tracking •  Location-based applications! –  Loopt! –  Google Latitude! –  Yahoo! Fire Eagle! –  Citysense! –  LifeBlog! –  Facebook (Friends on Fire)! –  Foursqare! –  Twitter!
  11. 11. GPS Embedded in Photos •  GPS coordinates embedded in Exif! •  Same Exif we talked about for disk forensics! •  This is often automatically added if the phone is GPS aware.!
  12. 12. Think Outside the Device•  Past usage information! –  Network service provider records! –  Look for paper bills!•  Detailed history of usage! –  Date and duration of calls! –  Numbers called! –  SMS message sent (no content retained)!•  NSP maintains detailed records! –  Calling IMSI and IMEI! –  Called IMSI and IMEI! –  Location: first and last cell! –  Charging details!
  13. 13. Iphone Forensic with Jailbroken
  14. 14. Zdziarski Technique•  Step by Step! SSH Connection •  Jailbreak! •  Forensic Acquisition! •  SSH! •  Create image by using dd command! •  Transfer image using netcat! DD image via Netcat •  Use scalpel to carving data!
  15. 15. Zdziarski Technique•  Example Command!andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2root@192.168.0.2′s password:-sh-3.2# cd / -sh-3.2# umount -f /private/var-sh-3.2# mount -o ro /private/var-sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc192.168.0.1 7000andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./rdisk0s2 bs=4096
  16. 16. Bypass Passcode
  17. 17. DiskAid
  18. 18. iPhone Explorer
  19. 19. iPhone Explorer Delete this file for bypass passcode
  20. 20. iPhone System path
  21. 21. What can be recovered ?
  22. 22. Contact
  23. 23. Calendar Event
  24. 24. SMS
  25. 25. Facebook Application
  26. 26. Geo-location Cache
  27. 27. Geo-location Cache
  28. 28. Geo-location Cache
  29. 29. Geo-location Cache
  30. 30. Iphone Forensic with iTune Backup files
  31. 31. SYNC and Backup•  After activation, when the iPhone is connected to the computer a sync will be conducted!•  The user can define what is to be Synced to include:! •  Music! •  Photos! •  Ringtones! •  Contacts & Calendars! •  Podcasts! •  Video! •  Third party applications!•  Third party applications can initiate the use of the iPhone as a file storage device!
  32. 32. SYNC and Backup•  Backup data location! •  Windows XP! •  C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! •  Windows 7! •  C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! •  Mac OS X! •  /Users/(username)/Library/Application Support/MobileSync/Backup/!
  33. 33. SYNC and Backup•  Backup folder files! •  Many .mdbackup files! •  The name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file! •  Status.plist! •  Status of last sync! •  Manifest.plist! •  List of all files backed up, modification time and hash signature! •  Info.plist! •  Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
  34. 34. .mdbackup files •  Safari History & Bookmarks! •  Photos (phone & synced iPhoto)! •  Sent & Received SMS! •  Calendar Events! •  Notes! •  Address Book Entries! •  Call History! •  Cookies! •  Google Map History! •  Email Account Settings! •  YouTube Last Search, Last Viewed & Bookmarks data!
  35. 35. Forensic Analysis Tool for Backup files •  iPhone Backup Extractor! •  iPhone Backup Analyzer! •  MobileSyncBrowser! •  MDBackupExtract! •  WOLF - Sixth Legion! •  Device Seizure - Paraben!
  36. 36. Unprotected Backup files
  37. 37. Protected Backup files
  38. 38. Protected Backup files
  39. 39. Elcomsoft Phone Password Breaker•  Brute-Force backup password with GPU!
  40. 40. Brute-Force Backup password
  41. 41. Keychain Explorer #1
  42. 42. Keychain Explorer #2
  43. 43. Keychain Explorer #2
  44. 44. Iphone Backup Extractor
  45. 45. Iphone Backup Analyzer
  46. 46. Iphone Backup Analyzer
  47. 47. Iphone Backup Analyzer
  48. 48. http://www. TISA.or.th Copayright © 2012 TISA and its respective author (Thailand Information Security Association) Please contact : varapong@acisonline.net

×