Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
Android forensics an Custom Recovery ImageMohamed Khaled
Mobile Forensic Process
Different Mobile Forensic Scenario
Acquisition Guide
Challenges of Android Forensics
How to Circumvent the Pass Code
Types Of Analyses(Logical analysis)
Types Of Analyses(Physical analysis)
Android Partition Layout
Custom Recovery Modifications
How Data are Stored In Android
Example of Useful Data extracted from Android Image
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
Android forensics an Custom Recovery ImageMohamed Khaled
Mobile Forensic Process
Different Mobile Forensic Scenario
Acquisition Guide
Challenges of Android Forensics
How to Circumvent the Pass Code
Types Of Analyses(Logical analysis)
Types Of Analyses(Physical analysis)
Android Partition Layout
Custom Recovery Modifications
How Data are Stored In Android
Example of Useful Data extracted from Android Image
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
600.250 UI Cross Platform Development and the Android Security ModelMichael Rushanan
In this presentation I provided undergraduates an introduction to the wildes of cross platform development in the mobile domain. In the end, we explored a few solutions and talked about the strengths/weaknesses of those third party providers. The second half of the talk involved the Android security model and how it WAS important to application developers.
Android Mobile forensics with custom recoveriesIbrahim Mosaad
The presentation describes how can we do Android Mobile forensics through custom recovery partitions. It explains that different forensics functionalities can be done on android phones through the custom recovery partition. Some of these functionalities are Logical/Physical data acquisition, PIN/Pattern/Passcode bypass, rooting, adb shell and many other functionalities. The presentation also illustrates how can we build our own custom recoveries.
Predicting the social culture of our future – The Neurobiology of social networking
What is expected of tomorrow’s social networks to address the needs of a more and more complex society? Where is Facebook falling short? What can Neurobiology tell us about the wellbeing of our digital culture?
In an entertaining and inspiring talk, the speakers will use an Australian model of Neurobiology to answer these questions.
The story begins where we will explore the different personas present in our minds. We find out that different platforms such as Tinder, Facebook and Snapchat are just manifestations of these personas and our deepest longings. Then, we will enter the secret side of our brains and explore what Whisper and Lord of the Rings have in common. The speakers will then reveal the six intelligence centers of the human brain in order to classify today’s social networks and predict what is needed to build more sustainable digital platforms. In an inspiring crescendo, the speakers will make bold predictions impacting our social culture as well as our digital future.
Entrepreneurs, listen up! The speakers will predict what social platforms need to emerge to satisfy the social cognitive needs of the human brain. Using the insights of focus groups with digital natives and drawing from a wealth of research and Neurobiology, the speakers will explore the underlying motives of a digital society. This will include an outlook on Google Glass as well as an exploration into the depth of our psychological being.
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...CSCJournals
Due to extremely high demand of mobile phones among people, over the years there has been a great demand for the support of various applications and security services. 2G and 3G provide two levels of security through: encryption and authentication. This paper presents performance analysis and comparison between the algorithms in terms of time complexity. The parameters considered for comparison are processing power and input size. Security features may have adverse effect on quality of services offered to the end users and the system capacity. The computational cost overhead that the security protocols and algorithms impose on lightweight end users devices is analyzed. The results of analysis reveal the effect of authentication and encryption algorithms of 2G and 3G on system performance defined in terms of throughput which will further help in quantifying the overhead caused due to security.
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
The good, the bad, and the ugly on integration ai with cybersecurityMohammad Khreesha
AI is the simulation of human intelligence processes by machines, especially computer systems. These processes include learning, reasoning, and self-correction. Integrating it with Cybersecurity is beneficial because it improves how security experts analyze, study, and understand cyber-crime.
In this talk, we will discuss & explain AI and how to integrate it with Cybersecurity to detect many types of attacks. The talk will cover many applications in Cybersecurity in which we can apply AI to improve those applications. Finally, I will present a demo on how to build your development environment with some scripting examples.
Similar to Android– forensics and security testing (20)
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. r00t@b0x : whoami?
Security Researcher for a quite sometime
(certs:CEH)
POC at Defcon Chennai.
Currently Working on ARM based Exploitation.
Reported some Web apps at Microsoft ,
yahoo,intel,ibm,cisco etc.
Currently doing Bachelors in Computer Science.
3. Agenda:
Introduction to android and its History.
Study the Android File systems and
Directories.
Bypass Passcodes (All types of locks).
Physical and Logical data extraction
techniquies.
Reverse engineer Android application.
Indian cyber Laws.
4. Why forensics ? WTH is this?
Evidence for legal proceedings.
Financial Crime.
Pornography/Child Pornography (pedophiles).
Sexual harrasment! (against women)
Terrorism activity or national threat.
Cyber threats.
Counter intelligence.
Murder or other crimes.
Eg:Georgia wieldman attacked @confidence
conference Poland.
6. Introduction to Android!History?
Widely Used Smartphone OS with over 77% share in 2013.
The man behind Android was “andy rubin” orginally which now
developed by google(2007)
Android now has over 900 million devices as per the IO event in
2013.
Android Open Source Project (AOSP) which was primarily
based on the LINUX which is now responsible for the
Development and Maintanence Commits and Releases.
AOSP Follows the GPL v2 license and the Apache V2.0
license.The GPL v2 makes it mandatory to keep the source
code as open source.Apache 2.0 is used for commericial
entities
7. Android Features.
Android has key features which are useful as the
forensic point of view.
Features like GSM,CDMA,LTE,WiMax,Wifi,Bluttooth
etc.
Google Play Store/Android Market is Rich source for
forensic Analysis.
Data Storage.
Flash(or nand) memory .
Internal Memory.
External Memory.
8. Android Overview:
Global System for Mobile Communications – GSM
Subscriber Identity Module or Unique Subscriber Identity
Module (SIM OR USIM) to identify the user for the celullar
network. Eg:AT&,T-Mobile (US) India-BSNL,AIRTEL
Code Division Multiple Access – CDMA
Eg:Sprit,version – US INDIA- Tata Docomo,MTS INDIA
Intergrated Digital Enhanced Network – IDEN
which is yet to be avaible in india | US- Sprit.
WorldWide internop for microwave access – WiMax
US-Sprit INDIA- BSNL,Reliance.
Long Term Evolution – LTS (4 G)
US-AT&T,Sprit,T-MOBILE,Verizon INDIA- Airtel,Aircel(TD-LTE)
10. Android Overview:Apps
The Total Android Apps Crossed Over 1 Million in NOV 2013
with another 70000 Apps Published in JAN 2014.
The other competitor,Apple which has the Strict App Uploading
and Review Process which can go through long amount of
time,on Fullfilling many criteria and condtions.Sometimes the
apps are denied over after long review. iOS doesn’t allow the
apps which are away from the App Market.
Google,Which requires less process for submitting the app
(such as the secure key) While google has the power to
Remove the app from the market,Ban Hammer the Developer
and Remotely uninstall the app.
11. AOSP importance
As Said Earlier AOSP maintains the
development and releases new versions and
fixes.
Compiling the AOSP is the best way to
understand the working of the Android.
http://source.android.com/source/initializing.h
tml
Not necessary for the Forensics analysts but
useful for the Deep Experimentation.
We don’t be Doing that now
12. Linux,Open source Software in Forensics
Open source forensic tools have always been more
effective in the digital forensic discipline.Open source
tools always has upper hand than closed source
tools
The Power to View the source code and understand
the working of it.
The ability to share software and improve it by
working together with the forensic community.
Free or Low Cost.
Linux is not only a critical component in Android but
can be effectively used in forensic analysis.
13. LINUX commands:
Android Forensics involves
some of the Linux knowledge
following commands are useful
man
help
cd
mkdir
mount
rmdir/rm –rf
nano
ls
tree
cat
dd
find
chown
chmod
sudo
apt-get
grep
| and >
Many more …………..
14. Environment Setup
Ubuntu 32/64 bit ( I recommend 64 bit) with Android SDK
Ubuntu 12.04 (precise) 64 bit running on vmware/virtual
box
http://www.vmware.com or http://www.virtualbox.org
Have atleast 20 Gb free Space and 2 GB ram .
Have Windows for Some commercial tools (explained
later)
I recommend Santoku Linux which is a entire hacking
distro dedicated to Mobile forensics and Security.
http://www.santoku-linux.com which is indeed made by
http://www.viaforensics.com a Mobile Pentesting
company.
15. Workstation Setup:Caution
Disable Automount (file systems)
Command:gconf-editor
It is because auto mounting of file system can screw
our setup and alter the evidence .
Go to apps : nautilus>preferences > remove “media
_automount” and “media_automount_open”
17. HARDWARE DEVICES
Cameras
Smartphones
Gamming consoles
Tablets
DECT phones
Google Tv
(a Android Landline)
Smart TV’s
Car Audio Systems
Google Glasses
Smart Watch
GPS
Fridge and Washing Machine
(DAFAQ)
Mirrors (you Saw it right :P)
cybertecturemirror.com
a 800+ android devices
18. ROM Booting process
Stock Rom varies from
manufacturer to manufacturer
Acutally Phone booting
process.
Short Seven ROM booting
process
Power on and boot ROM code
execution
The boot loader
The Linux kernel
The init process
Zygote and Dalvik
The system server
Boot completed
20. Android Application Security Model
Android at the installation of the App(.apk) check for the
developers unique signature. (Not CA).
Next it gives out the display of the android app file permission.
The source is located in the androidmanifest.xml
This file is the potential when it comes to forensic analysis and
determine the permission(malicious app).
21. Application process
Quick review of the android app execution.
Even though Android apps are made in java but they are not
executed in java format.
Each app gets a unique linux ID(uid) and Groud ID(gid).
Gets own dedicated process and dedicated dalvik VM.
The App Data gets stored in Data /data/data/<app
process>accessible only by UID and GID.(root exceptional).
Apps can share the data with other apps using content
providers.
22. Some files which is useful
Cache.img :disk image of the /cache partion.
Sdcard.img:disk img of the cache partion(img here is from AVD
emulator)
Userdata-emu.img: disk image of the data partion.
…. Useful in the areas of forensics
23. USB connection of the evidence device
Different Devices have different options.
The common four are
Charge only
file transfer
Sync
Internet tethering.
Check the connection to the host
by typing “dmesg”.
Make sure you take care not to alter the
evidence much…..
25. Precautions : (must needed)
Make sure to Disable auto mount feature in ubuntu to prevent
automatic detection and mounting of USB storage.
Every fragile change could lead to alteration of evidence.
Hardware write blocker useful to some extent.
26. SD card info
Most of the SDCARD details are stored in /data/
App details in /data/data(it differs :P)
28. Android Debug Bridge
Most important component when it comes to android forensics.
Consider it as a swiss army knife for forensics and security
analystis.
Enable usb debugging developer options > usb debugging.
This will run adbd (daemon) on the devices.
Adbd runs on the user account(UID) unless promted with the
root privileges.
If your device is locked then it is difficult to unlock usb
debugging.(not 100% impossible)
29. ADB components
Adbd on the devices.
Adbd on the workstation.
Adb on the workstation.
Adb is free,primary tool for forensics and ofcourse opensource
30. Adb shell example
Adb shell gives out lot of information(depends on root or not).
The Data folder is useful when you are rooted.
31. Data from adb
Sms History (Deleted).
Contacts(com.phone.android)
Call history
received,deleted,missed etc.
Databook
Events.
Calender.
32. File Systems
Lot of file systems in the android operating system.
More than a dozen is in use.
The main three are
EXT
FAT32
YAFFs2 Source for the user data
33. Data to expect in /data/data
Apps that are shipped with stock rom : browsers.
Apps that are manufacturer specific : eg : HTC
sense,touchwiz,motoblur
Wireless carrier apps (not common in india) : carrier IQ
Apps installed by google default : play store,play music , maps
Apps installed by user (both marketplace and unknown source
installation)
34. Data Storage methods
The main methods where sensitive data
stored.
Shared preferences
Internal storage
External storage
Sqlite3
Network
35. Shared preferences
It is where all the data which is shared between the apps are
stored.
Key values are stored in XML files
36. Internal Storage
Common in most of the systems :ext3,ext4,yaffs2
Unrooted user cannot access /data/data as it is
encrypted.root is needed for viewing the contents
37. Internal storage
U0_a0 is the owner means it is that user who
installed the app “truecaller”.
These apps and their directories are damn useful
when it comes to finding evidence.
38. External Storage
It has less restrictions when compared to the internal storage.
FAT 32 is commonly found file system on the sdcard.
As suggested earlier most apps data is stored here it is better to
look here.
39. SQLITE3-Native app database.
Lightweight RDBMS which has the c programming library.
Entire DB stored in single file.
Most of the App developers store the database in internal
memory eg /data/data/<app name>/database.
40. SQLITE3-some useful commands
Sqlite3 <dbfilename>
Loads the db
.tables
Shows the tables
.headers on|off
Turns headers on/off
.mode
Output mode file type
Select * from <table>
Displays the table attirubutes
.dump?table?
Dump the table
.quit
Exit the shell prompt
41. Sqlite3 datbase example
Little catch : sqlite3 is not installed in real phones by default.
For test conditions I have used avd emulator from android.
Those databases have lot of tables which can be real handy.
Some native roots have sqlite3 symlinked by default.
42. Network & linux kernel
Network storage in java and android classes
Not locally but on the on network and relative datbases.
The least place we look at the heart:linux kernel | kernel logs.
To access the kernel logs we have “dmesg” command on the
adb shell
Source:andrew hoog
43. Logcat
Displays almost eveything that’s been going around your device
in the adb shell
http://developer.android.com/tools/help/logcat.html
Has different parameters.
44. Device Handling & forensic rule
The main motto:Avoid modification to evidence at all costs.
Simple mounting of device could lead to altering of evidences.
Increase the sleep timeout which could lead to locking of the
device.
Logcat everything what is going on.
Make sure minimal modification to the evidence.
Enable do not sleep while charging.
Put the device on the flightmode or remove the sim card(I don’t
recommend this).
Never switch off the device if it is on unlocked or on locked.
Work where no network connnectivity (REMOTE WIPE & SMS
malwares to rip evidences?)
45. Phone switched off? What to do?
Try to boot into the recovery~ most of the devices power+vol up
+down or power + vol down and then up .
If you cant come up search xda-developers.com
Connect to adb,check for the root permission
Usb debugg enabled you are lucky or else you have find a way
to remote activate usb debugg
49. Unlucky still? Here comes the passcodes breaking!
Very useful when it comes to forensic!
Nothing beats this .
Various techniques for breaking android
passcodes.
Few will be discussed here.
There is no direct rule for breaking
passcodes.
52. Cracking techniques
Smudge attack.
Pattern lock vulnerability.
Psneuter with adb,usb debugg(if enabled).
Cracking the password key.
Face unlock pwn with a picture.
Continues to evolve …………
53. Smudge attack
Screen(digitalizer) is reflective
surface,smudge(pattern) which diffuse in the glass.
Being dust particle,when exposed to light reflect
them.
camera setup to capture the overexposed image
around 6-8 times will give a 80% correct image.
It gives out the display pattern.
Not always working,like playing temple run could
remove the smudge totally.
55. Pattern Lock crack
Pattern creates a file in /data/system/gesture.key
Hash is stored there.if custom recovery is installed like TWRP
recovery,CWM recovery etc.
Remove the key using the rm command and recreate it using
your own hash.
56. Pattern Lock crack
Key can also be decrypted ! Some sites do give
services for free.
57. Cracking pins
When password/pins are used they are stored in
/data/system/passwords.key
As you can see it is not in plaintext but as Random+sha1+md5.
Not easy depends on the nature of password.
Pull the salt
from/data/data/com.android.providers.settings/databases/settin
gs.db and get the password from above.
Put them in the folder and try to attack them in password
recovery tools such as hashcat/john the ripper by bruteforcing
them
58. Pwn face & voice unlock
Not secure at all when google introduced it in android 4.0.
Reported to unlock with the photo of the person.
After kitkat android update the face unlock when to a change where
the person have to unlock by blinking the eye which shows the alive
ness of the captured image.
Again easily broken by duck faces,smiling images from facebook :P
“In June 2013, details emerged of a Google patent, pictured, that would let
users unlock their phones by pulling silly faces, such as frowning, poking out
their tongue or wriggling their nose. The expression would then be scanned and
compared to a previously captured photo to confirm the user's identity”-
dailymail(uk).
Voice can easily spoofed by old school
tricks
59. Android Encryption
Encrypts the entire device with AES encryption.
Denoted to reduce in performance.
Takes at Least a Hour for Encryption of Data.
60. Get fRoSted
Frost Security Team was able to break the encryption by
cooling the device to -15 c in 60 minutes.
Switch off and Flash the Frost Recovery.
Not the entire AES keys are decrypted.Some bits were
decayed.
63. g0t root?
90% of forensics trick depends on the root?
Not enabled even in a single device.(unless suspect
rooted on his own).
Not possible on all devices without altering the
evidence.
Gaining root will leave a lot of traces.
Many data’s they get altered.
Takes lot of time searching for the correct exploit
sometimes lead to hard brick/soft brick.
Root could make the device more vulnerable for
future exploits.
64. Types of r00t?
Temp root: gives you root access till you
reboot the device.
Recovery root: custom recovery such as
clockworkmod(CWW),twrp etc will give
root access in the recovery.
Permanent root:install su to the system
leaving a huge footprint.most custom roms
have perm root by default
eg:cyanogenmod,omni,panodroid etc.
65. Temporary root
Temp root is something essential when it come to
forensic.(z4root.apk)
Doesn’t work on all devices,test it first before using.
66. Psneturer a temp root solution.
Neturer is a android server.this app exploits that server giving
us a temprarory solution.
adb devices
adb push psneuter /data/local/tmp
adb shell
cd /data/local/tmp
chmod 777 psneuter
./psneuter
67. Permanent root
not good as far as forensic is concerned.
Leaves a huge footprint altering the evidence. Search xda for
more roots.
70. Android forensic techniques
Logical and physical acquisition.
Open source tools and some commerical
tools.
qtADB
Andriller
cellebrite
paraben
viaextract ….
71. Logical vs physical Acquisition
Logical
physcial
Access to file systems
Exploring the
Data which is already
memory,not the file
system.
More data than logical,by
breaking passwords etc
available to user
Eg:ADB pull,aflogical
Hardware and software
72. Logical Sdcard anquisition
Apps Data gets stored in /data which is encrypted
and root access.
SD cards where the user stuffs
stays.(audio,video,maps).
Uses cross platform FAT FS.
Most backup stored in Sdcard.
.apk’s in sdcard might be encrypted.
Useful done when 3rd party apps are analysis.
75. AFlogical
Data Extraction tools.
Free for law enforcement agencies.
Records call logs,contact etc.
DEMO
76. UFED touch ultimate
UFED Touch Ultimate, enables the most technologically
advanced extraction, decoding, analysis and reporting of
mobile data. It performs physical, logical, file system and
password extraction of all data (even if deleted) from the
widest range of devices including legacy and feature phones,
smartphones, portable GPS devices, tablets and phones
manufactured with Chinese chipsets.
Cost:10000$
80. Andriller
A alternative and a powerful open source
tool.
http://android.saz.lt/
Made by Denis Sazonov @den4uk
Give it a try you wont regret it
DEMO…………………..
82. Reversing Apk’s
Rename Android app (.apk) to .zip.
Extract zip
Run dex2jar on the extracted file.
Open the .jar in a java decompiler.
APKTOOL
Androguard
Apkinspector
84. Future of Android forensics
The future research work will be on the
Seandroid.
Contributed by National Security Agency
(NSA) *cough*
Motto to have secure android.
86. Wait ! Wait ? Wait ?
SeAndroid was already defeated.The CVE 2013-6282
Pau Olivia Had a POC based a toshiba tablet running 4.3 JB.
87.
88. INDIAN cyberlaws
Device as target or weapon
IT act 2000
IT amendment ACT (2008)
Rules under 66A,43A,79
SECTION 65A
http://www.cyberforensics.in/
http://deity.gov.in/content/cyber-laws