SlideShare a Scribd company logo

Android– forensics and security testing

Download as PPTX, PDF
Santhosh Kumar
Santhosh Kumar

Speaker:Santhosh Kumar Event:Defcon Kerala Date:8/03/2014 Android-Forensic and Security Analysis. Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain. The Talk Focus on various Methods,the Various Situation where the forensics is useful. The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory. The talk also focus on various places where is information is available to the forensic point of view. Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything. The Talk also focus on using both Windows And linux as the Forensic Investigation Environment. Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data. Various Tools on way this can be done in faster way. Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.

Technology
1 of 93
Santhosh Kumar ANDROID – FORENSICS AND SECURITY ANALYSIS
r00t@b0x : whoami?  Security Researcher for a quite sometime  (certs:CEH)  POC at Defcon Chennai.  Currently Working on ARM based Exploitation.  Reported some Web apps at Microsoft , yahoo,intel,ibm,cisco etc.  Currently doing Bachelors in Computer Science.
Agenda:  Introduction to android and its History.  Study the Android File systems and     Directories. Bypass Passcodes (All types of locks). Physical and Logical data extraction techniquies. Reverse engineer Android application. Indian cyber Laws.
Why forensics ? WTH is this?  Evidence for legal proceedings.  Financial Crime.  Pornography/Child Pornography (pedophiles).  Sexual harrasment! (against women)  Terrorism activity or national threat.  Cyber threats.  Counter intelligence.  Murder or other crimes.  Eg:Georgia wieldman attacked @confidence conference Poland.
Introduction to Android.History ??
Introduction to Android!History?  Widely Used Smartphone OS with over 77% share in 2013.  The man behind Android was “andy rubin” orginally which now developed by google(2007)  Android now has over 900 million devices as per the IO event in 2013.  Android Open Source Project (AOSP) which was primarily based on the LINUX which is now responsible for the Development and Maintanence Commits and Releases.  AOSP Follows the GPL v2 license and the Apache V2.0 license.The GPL v2 makes it mandatory to keep the source code as open source.Apache 2.0 is used for commericial entities
Android Features.  Android has key features which are useful as the       forensic point of view. Features like GSM,CDMA,LTE,WiMax,Wifi,Bluttooth etc. Google Play Store/Android Market is Rich source for forensic Analysis. Data Storage. Flash(or nand) memory . Internal Memory. External Memory.
Android Overview:  Global System for Mobile Communications – GSM Subscriber Identity Module or Unique Subscriber Identity Module (SIM OR USIM) to identify the user for the celullar network. Eg:AT&,T-Mobile (US) India-BSNL,AIRTEL  Code Division Multiple Access – CDMA Eg:Sprit,version – US INDIA- Tata Docomo,MTS INDIA  Intergrated Digital Enhanced Network – IDEN which is yet to be avaible in india | US- Sprit.  WorldWide internop for microwave access – WiMax US-Sprit INDIA- BSNL,Reliance.  Long Term Evolution – LTS (4 G) US-AT&T,Sprit,T-MOBILE,Verizon INDIA- Airtel,Aircel(TD-LTE)
Android Overview:APPS
Android Overview:Apps  The Total Android Apps Crossed Over 1 Million in NOV 2013 with another 70000 Apps Published in JAN 2014.  The other competitor,Apple which has the Strict App Uploading and Review Process which can go through long amount of time,on Fullfilling many criteria and condtions.Sometimes the apps are denied over after long review. iOS doesn’t allow the apps which are away from the App Market.  Google,Which requires less process for submitting the app (such as the secure key) While google has the power to Remove the app from the market,Ban Hammer the Developer and Remotely uninstall the app.
AOSP importance  As Said Earlier AOSP maintains the development and releases new versions and     fixes. Compiling the AOSP is the best way to understand the working of the Android. http://source.android.com/source/initializing.h tml Not necessary for the Forensics analysts but useful for the Deep Experimentation. We don’t be Doing that now 
Linux,Open source Software in Forensics  Open source forensic tools have always been more effective in the digital forensic discipline.Open source tools always has upper hand than closed source tools The Power to View the source code and understand the working of it. The ability to share software and improve it by working together with the forensic community. Free or Low Cost.  Linux is not only a critical component in Android but can be effectively used in forensic analysis.
LINUX commands: Android Forensics involves some of the Linux knowledge following commands are useful  man   help   cd  mkdir  mount  rmdir/rm –rf  nano   ls   tree      cat dd find chown chmod sudo apt-get grep | and > Many more …………..
Environment Setup  Ubuntu 32/64 bit ( I recommend 64 bit) with Android SDK Ubuntu 12.04 (precise) 64 bit running on vmware/virtual box  http://www.vmware.com or http://www.virtualbox.org  Have atleast 20 Gb free Space and 2 GB ram .  Have Windows for Some commercial tools (explained later)  I recommend Santoku Linux which is a entire hacking distro dedicated to Mobile forensics and Security.  http://www.santoku-linux.com which is indeed made by http://www.viaforensics.com a Mobile Pentesting company.
Workstation Setup:Caution  Disable Automount (file systems)  Command:gconf-editor  It is because auto mounting of file system can screw our setup and alter the evidence .  Go to apps : nautilus>preferences > remove “media _automount” and “media_automount_open”
Android Architecture
HARDWARE DEVICES  Cameras  Smartphones  Gamming consoles  Tablets  DECT phones  Google Tv (a Android Landline)  Smart TV’s  Car Audio Systems  Google Glasses  Smart Watch  GPS  Fridge and Washing Machine (DAFAQ)  Mirrors (you Saw it right :P) cybertecturemirror.com  a 800+ android devices
ROM Booting process  Stock Rom varies from manufacturer to manufacturer  Acutally Phone booting process.  Short Seven ROM booting process  Power on and boot ROM code execution  The boot loader  The Linux kernel  The init process  Zygote and Dalvik  The system server  Boot completed
ROM booting process  http://www.androidenea.com/20 09/06/android-boot-processfrom-power-on.html
Android Application Security Model  Android at the installation of the App(.apk) check for the developers unique signature. (Not CA).  Next it gives out the display of the android app file permission. The source is located in the androidmanifest.xml  This file is the potential when it comes to forensic analysis and determine the permission(malicious app).
Application process  Quick review of the android app execution.  Even though Android apps are made in java but they are not executed in java format.  Each app gets a unique linux ID(uid) and Groud ID(gid).  Gets own dedicated process and dedicated dalvik VM.  The App Data gets stored in Data /data/data/<app process>accessible only by UID and GID.(root exceptional).  Apps can share the data with other apps using content providers.
Some files which is useful  Cache.img :disk image of the /cache partion.  Sdcard.img:disk img of the cache partion(img here is from AVD emulator)  Userdata-emu.img: disk image of the data partion.  …. Useful in the areas of forensics
USB connection of the evidence device  Different Devices have different options.  The common four are Charge only file transfer  Sync Internet tethering.  Check the connection to the host by typing “dmesg”.  Make sure you take care not to alter the evidence much…..
Checking USB connection
Precautions : (must needed)  Make sure to Disable auto mount feature in ubuntu to prevent automatic detection and mounting of USB storage.  Every fragile change could lead to alteration of evidence.  Hardware write blocker useful to some extent.
SD card info  Most of the SDCARD details are stored in /data/  App details in /data/data(it differs :P)
Android Debug bridge
Android Debug Bridge  Most important component when it comes to android forensics.  Consider it as a swiss army knife for forensics and security analystis.  Enable usb debugging developer options > usb debugging.  This will run adbd (daemon) on the devices.  Adbd runs on the user account(UID) unless promted with the root privileges.  If your device is locked then it is difficult to unlock usb debugging.(not 100% impossible)
ADB components  Adbd on the devices.  Adbd on the workstation.  Adb on the workstation.  Adb is free,primary tool for forensics and ofcourse opensource 
Adb shell example  Adb shell gives out lot of information(depends on root or not).  The Data folder is useful when you are rooted.
Data from adb  Sms History (Deleted).  Contacts(com.phone.android)  Call history received,deleted,missed etc.  Databook  Events.  Calender.
File Systems  Lot of file systems in the android operating system.  More than a dozen is in use.  The main three are EXT FAT32 YAFFs2 Source for the user data
Data to expect in /data/data  Apps that are shipped with stock rom : browsers.  Apps that are manufacturer specific : eg : HTC sense,touchwiz,motoblur  Wireless carrier apps (not common in india) : carrier IQ  Apps installed by google default : play store,play music , maps  Apps installed by user (both marketplace and unknown source installation)
Data Storage methods  The main methods where sensitive data stored.  Shared preferences  Internal storage  External storage  Sqlite3  Network
Shared preferences  It is where all the data which is shared between the apps are stored.  Key values are stored in XML files 
Internal Storage  Common in most of the systems :ext3,ext4,yaffs2  Unrooted user cannot access /data/data as it is encrypted.root is needed for viewing the contents
Internal storage  U0_a0 is the owner means it is that user who installed the app “truecaller”.  These apps and their directories are damn useful when it comes to finding evidence.
External Storage  It has less restrictions when compared to the internal storage.  FAT 32 is commonly found file system on the sdcard.  As suggested earlier most apps data is stored here it is better to look here.
SQLITE3-Native app database.  Lightweight RDBMS which has the c programming library.  Entire DB stored in single file.  Most of the App developers store the database in internal memory eg /data/data/<app name>/database.
SQLITE3-some useful commands  Sqlite3 <dbfilename>  Loads the db  .tables  Shows the tables  .headers on|off  Turns headers on/off  .mode  Output mode file type  Select * from <table>  Displays the table attirubutes  .dump?table?  Dump the table  .quit  Exit the shell prompt
Sqlite3 datbase example  Little catch : sqlite3 is not installed in real phones by default.  For test conditions I have used avd emulator from android.  Those databases have lot of tables which can be real handy.  Some native roots have sqlite3 symlinked by default.
Network & linux kernel     Network storage in java and android classes Not locally but on the on network and relative datbases. The least place we look at the heart:linux kernel | kernel logs. To access the kernel logs we have “dmesg” command on the adb shell  Source:andrew hoog
Logcat  Displays almost eveything that’s been going around your device in the adb shell http://developer.android.com/tools/help/logcat.html  Has different parameters.
Device Handling & forensic rule  The main motto:Avoid modification to evidence at all costs.  Simple mounting of device could lead to altering of evidences.  Increase the sleep timeout which could lead to locking of the device.  Logcat everything what is going on.  Make sure minimal modification to the evidence.  Enable do not sleep while charging.  Put the device on the flightmode or remove the sim card(I don’t recommend this).  Never switch off the device if it is on unlocked or on locked.  Work where no network connnectivity (REMOTE WIPE & SMS malwares to rip evidences?)
Phone switched off? What to do?  Try to boot into the recovery~ most of the devices power+vol up +down or power + vol down and then up .  If you cant come up search xda-developers.com  Connect to adb,check for the root permission  Usb debugg enabled you are lucky or else you have find a way to remote activate usb debugg
Enable usb debugging when locked ?? Possible
Enable usb debugging when locked ?? Possible BST(best smart tools)
Crack the codes 
Unlucky still? Here comes the passcodes breaking!  Very useful when it comes to forensic! Nothing beats this .  Various techniques for breaking android passcodes.  Few will be discussed here.  There is no direct rule for breaking passcodes.
Types of passwords ?
Types of passwords ?
Cracking techniques  Smudge attack.  Pattern lock vulnerability.  Psneuter with adb,usb debugg(if enabled).  Cracking the password key.  Face unlock pwn with a picture.  Continues to evolve …………
Smudge attack  Screen(digitalizer) is reflective     surface,smudge(pattern) which diffuse in the glass. Being dust particle,when exposed to light reflect them. camera setup to capture the overexposed image around 6-8 times will give a 80% correct image. It gives out the display pattern. Not always working,like playing temple run could remove the smudge totally.
Smudge attack
Pattern Lock crack  Pattern creates a file in /data/system/gesture.key  Hash is stored there.if custom recovery is installed like TWRP recovery,CWM recovery etc.  Remove the key using the rm command and recreate it using your own hash.
Pattern Lock crack  Key can also be decrypted ! Some sites do give services for free.
Cracking pins  When password/pins are used they are stored in /data/system/passwords.key  As you can see it is not in plaintext but as Random+sha1+md5.  Not easy depends on the nature of password.  Pull the salt from/data/data/com.android.providers.settings/databases/settin gs.db and get the password from above.  Put them in the folder and try to attack them in password recovery tools such as hashcat/john the ripper by bruteforcing them
Pwn face & voice unlock      Not secure at all when google introduced it in android 4.0. Reported to unlock with the photo of the person. After kitkat android update the face unlock when to a change where the person have to unlock by blinking the eye which shows the alive ness of the captured image. Again easily broken by duck faces,smiling images from facebook :P  “In June 2013, details emerged of a Google patent, pictured, that would let users unlock their phones by pulling silly faces, such as frowning, poking out their tongue or wriggling their nose. The expression would then be scanned and compared to a previously captured photo to confirm the user's identity”- dailymail(uk). Voice can easily spoofed by old school tricks 
Android Encryption  Encrypts the entire device with AES encryption.  Denoted to reduce in performance.  Takes at Least a Hour for Encryption of Data.
Get fRoSted  Frost Security Team was able to break the encryption by cooling the device to -15 c in 60 minutes.  Switch off and Flash the Frost Recovery.  Not the entire AES keys are decrypted.Some bits were decayed.
g0t r00t?
g0t root?  90% of forensics trick depends on the root?  Not enabled even in a single device.(unless suspect      rooted on his own). Not possible on all devices without altering the evidence. Gaining root will leave a lot of traces. Many data’s they get altered. Takes lot of time searching for the correct exploit sometimes lead to hard brick/soft brick. Root could make the device more vulnerable for future exploits.
Types of r00t?  Temp root: gives you root access till you reboot the device.  Recovery root: custom recovery such as clockworkmod(CWW),twrp etc will give root access in the recovery.  Permanent root:install su to the system leaving a huge footprint.most custom roms have perm root by default eg:cyanogenmod,omni,panodroid etc.
Temporary root  Temp root is something essential when it come to forensic.(z4root.apk)  Doesn’t work on all devices,test it first before using.
Psneturer a temp root solution.  Neturer is a android server.this app exploits that server giving us a temprarory solution.  adb devices  adb push psneuter /data/local/tmp  adb shell  cd /data/local/tmp  chmod 777 psneuter  ./psneuter
Permanent root  not good as far as forensic is concerned.  Leaves a huge footprint altering the evidence. Search xda for more roots.
R00t with binary  Gives root to almost all the 4.0 to 4.1 devices.
Kingo android root  This one gives root over all 4.2.x,4.3.x,4.4.x
Android forensic techniques  Logical and physical acquisition.  Open source tools and some commerical tools. qtADB Andriller cellebrite paraben viaextract ….
Logical vs physical Acquisition Logical physcial  Access to file systems  Exploring the  Data which is already memory,not the file system.  More data than logical,by breaking passwords etc available to user Eg:ADB pull,aflogical  Hardware and software
Logical Sdcard anquisition  Apps Data gets stored in /data which is encrypted     and root access. SD cards where the user stuffs stays.(audio,video,maps). Uses cross platform FAT FS. Most backup stored in Sdcard. .apk’s in sdcard might be encrypted.  Useful done when 3rd party apps are analysis.
ADB pull -logical
qtADB
AFlogical  Data Extraction tools.  Free for law enforcement agencies.  Records call logs,contact etc.  DEMO
UFED touch ultimate  UFED Touch Ultimate, enables the most technologically advanced extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. Cost:10000$
UFED what’sapp analysis
Device Seizure
Device Seizure:Report
Andriller  A alternative and a powerful open source tool.  http://android.saz.lt/  Made by Denis Sazonov @den4uk  Give it a try you wont regret it  DEMO…………………..
Photos  Try looking here for more evidence.
Reversing Apk’s  Rename Android app (.apk) to .zip.  Extract zip  Run dex2jar on the extracted file.  Open the .jar in a java decompiler.  APKTOOL  Androguard  Apkinspector
Android/Torec.A  First every Android based Tor malware which was found in the wild.  REVERSING DEMO
Future of Android forensics  The future research work will be on the Seandroid.  Contributed by National Security Agency (NSA) *cough*  Motto to have secure android.
Then there is ?  Ill just leave this here :P
Wait ! Wait ? Wait ?  SeAndroid was already defeated.The CVE 2013-6282  Pau Olivia Had a POC based a toshiba tablet running 4.3 JB. 
INDIAN cyberlaws  Device as target or weapon  IT act 2000  IT amendment ACT (2008)  Rules under 66A,43A,79  SECTION 65A http://www.cyberforensics.in/ http://deity.gov.in/content/cyber-laws
ANY QUESTIONS?
Recommended starters Andrew Hoog Steve robinson
Feedback welcomed :D  Twitter: https://twitter.com/security_ b0x  securitypentrator@live.com
References:  viaforensics.com  Forensicfocus.com  cellebrite.com  android.saz.lt  exploit-db.com  www.forensicswiki.org/wiki/Cell_Phone_ Forensics  Xda-developers.com
Android– forensics and security testing

Recommended

Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)
ClubHack
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 

Recommended

Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)
ClubHack
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
nishant24894
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
Venkatesh Pensalwar
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
anupriti
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
SCREAM138
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Data recovery
Data recoveryData recovery
Data recoveryMir Majid
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
 

More Related Content

What's hot

Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
nishant24894
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
Mohamed Khaled
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
Venkatesh Pensalwar
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
anupriti
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
SCREAM138
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 

What's hot (20)

Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Data recovery
Data recoveryData recovery
Data recovery
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 

Viewers also liked

Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
antitree
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
SecurityTube.Net
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
Michael Rushanan
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
Ibrahim Mosaad
 
Computer&Internet Safety Digital Story
Computer&Internet Safety Digital StoryComputer&Internet Safety Digital Story
Computer&Internet Safety Digital StorySandra Sammarco
 
Digital Etiquette vhardy
Digital Etiquette vhardyDigital Etiquette vhardy
Digital Etiquette vhardy
Vanessa Hardy
 
Malware
MalwareMalware
Malware
galaxy201
 
Being Smart In Cyber Space
Being Smart In Cyber SpaceBeing Smart In Cyber Space
Being Smart In Cyber Space
kirahlee
 
SMW14_FutureSocialCulture.pdf
SMW14_FutureSocialCulture.pdfSMW14_FutureSocialCulture.pdf
SMW14_FutureSocialCulture.pdf
Stefanie Kuhnhen
 
Off-The-Record (OTR)
Off-The-Record (OTR)Off-The-Record (OTR)
Off-The-Record (OTR)
Gianluca Gabrielli
 
Babadook
BabadookBabadook
Babadook
jupton1
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
CSCJournals
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 ICMI Pusat
 

Viewers also liked (20)

Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Android Security
Android SecurityAndroid Security
Android Security
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
 
Computer&Internet Safety Digital Story
Computer&Internet Safety Digital StoryComputer&Internet Safety Digital Story
Computer&Internet Safety Digital Story
 
Digital Etiquette vhardy
Digital Etiquette vhardyDigital Etiquette vhardy
Digital Etiquette vhardy
 
Malware
MalwareMalware
Malware
 
Being Smart In Cyber Space
Being Smart In Cyber SpaceBeing Smart In Cyber Space
Being Smart In Cyber Space
 
SMW14_FutureSocialCulture.pdf
SMW14_FutureSocialCulture.pdfSMW14_FutureSocialCulture.pdf
SMW14_FutureSocialCulture.pdf
 
2
22
2
 
Off-The-Record (OTR)
Off-The-Record (OTR)Off-The-Record (OTR)
Off-The-Record (OTR)
 
Whisper System Presentation
Whisper System PresentationWhisper System Presentation
Whisper System Presentation
 
Updated CV
Updated CVUpdated CV
Updated CV
 
Babadook
BabadookBabadook
Babadook
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11
 

Similar to Android– forensics and security testing

Android
AndroidAndroid
Android
9994426949
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
 
Android and its applications
Android and its applicationsAndroid and its applications
Android and its applications
Soba Arjun
 
Mobile security
Mobile securityMobile security
Mobile security
Stefaan
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
1668170.ppt
1668170.ppt1668170.ppt
1668170.ppt
230405
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
 
5945632 (1).ppt
5945632 (1).ppt5945632 (1).ppt
5945632 (1).ppt
Rekha Negi
 
Android Revolution
Android RevolutionAndroid Revolution
Android Revolution
Faiq Ali Sayed
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
Brent Muir
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
Divya Raval
 
Android development
Android developmentAndroid development
Android developmentAsif Larra
 
PPT on Android
PPT on AndroidPPT on Android
PPT on Android
Subhadip Chakraborty
 
Android
AndroidAndroid
Android
aktash12
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paperSravan Reddy
 
An brief introduction to android operating system
An brief introduction to android operating systemAn brief introduction to android operating system
An brief introduction to android operating system
Alexander Decker
 
Android ppt
Android pptAndroid ppt
Android ppt
Alitaha Riyaz
 
The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurity
Mohammad Khreesha
 

Similar to Android– forensics and security testing (20)

Android
AndroidAndroid
Android
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Android and its applications
Android and its applicationsAndroid and its applications
Android and its applications
 
Mobile security
Mobile securityMobile security
Mobile security
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
1668170.ppt
1668170.ppt1668170.ppt
1668170.ppt
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
5945632 (1).ppt
5945632 (1).ppt5945632 (1).ppt
5945632 (1).ppt
 
Android Revolution
Android RevolutionAndroid Revolution
Android Revolution
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
 
Android development
Android developmentAndroid development
Android development
 
PPT on Android
PPT on AndroidPPT on Android
PPT on Android
 
Android
AndroidAndroid
Android
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paper
 
Android security
Android securityAndroid security
Android security
 
An brief introduction to android operating system
An brief introduction to android operating systemAn brief introduction to android operating system
An brief introduction to android operating system
 
Android ppt
Android pptAndroid ppt
Android ppt
 
The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurity
 

Recently uploaded

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Android– forensics and security testing

  • 1. Santhosh Kumar ANDROID – FORENSICS AND SECURITY ANALYSIS
  • 2. r00t@b0x : whoami?  Security Researcher for a quite sometime  (certs:CEH)  POC at Defcon Chennai.  Currently Working on ARM based Exploitation.  Reported some Web apps at Microsoft , yahoo,intel,ibm,cisco etc.  Currently doing Bachelors in Computer Science.
  • 3. Agenda:  Introduction to android and its History.  Study the Android File systems and     Directories. Bypass Passcodes (All types of locks). Physical and Logical data extraction techniquies. Reverse engineer Android application. Indian cyber Laws.
  • 4. Why forensics ? WTH is this?  Evidence for legal proceedings.  Financial Crime.  Pornography/Child Pornography (pedophiles).  Sexual harrasment! (against women)  Terrorism activity or national threat.  Cyber threats.  Counter intelligence.  Murder or other crimes.  Eg:Georgia wieldman attacked @confidence conference Poland.
  • 6. Introduction to Android!History?  Widely Used Smartphone OS with over 77% share in 2013.  The man behind Android was “andy rubin” orginally which now developed by google(2007)  Android now has over 900 million devices as per the IO event in 2013.  Android Open Source Project (AOSP) which was primarily based on the LINUX which is now responsible for the Development and Maintanence Commits and Releases.  AOSP Follows the GPL v2 license and the Apache V2.0 license.The GPL v2 makes it mandatory to keep the source code as open source.Apache 2.0 is used for commericial entities
  • 7. Android Features.  Android has key features which are useful as the       forensic point of view. Features like GSM,CDMA,LTE,WiMax,Wifi,Bluttooth etc. Google Play Store/Android Market is Rich source for forensic Analysis. Data Storage. Flash(or nand) memory . Internal Memory. External Memory.
  • 8. Android Overview:  Global System for Mobile Communications – GSM Subscriber Identity Module or Unique Subscriber Identity Module (SIM OR USIM) to identify the user for the celullar network. Eg:AT&,T-Mobile (US) India-BSNL,AIRTEL  Code Division Multiple Access – CDMA Eg:Sprit,version – US INDIA- Tata Docomo,MTS INDIA  Intergrated Digital Enhanced Network – IDEN which is yet to be avaible in india | US- Sprit.  WorldWide internop for microwave access – WiMax US-Sprit INDIA- BSNL,Reliance.  Long Term Evolution – LTS (4 G) US-AT&T,Sprit,T-MOBILE,Verizon INDIA- Airtel,Aircel(TD-LTE)
  • 10. Android Overview:Apps  The Total Android Apps Crossed Over 1 Million in NOV 2013 with another 70000 Apps Published in JAN 2014.  The other competitor,Apple which has the Strict App Uploading and Review Process which can go through long amount of time,on Fullfilling many criteria and condtions.Sometimes the apps are denied over after long review. iOS doesn’t allow the apps which are away from the App Market.  Google,Which requires less process for submitting the app (such as the secure key) While google has the power to Remove the app from the market,Ban Hammer the Developer and Remotely uninstall the app.
  • 11. AOSP importance  As Said Earlier AOSP maintains the development and releases new versions and     fixes. Compiling the AOSP is the best way to understand the working of the Android. http://source.android.com/source/initializing.h tml Not necessary for the Forensics analysts but useful for the Deep Experimentation. We don’t be Doing that now 
  • 12. Linux,Open source Software in Forensics  Open source forensic tools have always been more effective in the digital forensic discipline.Open source tools always has upper hand than closed source tools The Power to View the source code and understand the working of it. The ability to share software and improve it by working together with the forensic community. Free or Low Cost.  Linux is not only a critical component in Android but can be effectively used in forensic analysis.
  • 13. LINUX commands: Android Forensics involves some of the Linux knowledge following commands are useful  man   help   cd  mkdir  mount  rmdir/rm –rf  nano   ls   tree      cat dd find chown chmod sudo apt-get grep | and > Many more …………..
  • 14. Environment Setup  Ubuntu 32/64 bit ( I recommend 64 bit) with Android SDK Ubuntu 12.04 (precise) 64 bit running on vmware/virtual box  http://www.vmware.com or http://www.virtualbox.org  Have atleast 20 Gb free Space and 2 GB ram .  Have Windows for Some commercial tools (explained later)  I recommend Santoku Linux which is a entire hacking distro dedicated to Mobile forensics and Security.  http://www.santoku-linux.com which is indeed made by http://www.viaforensics.com a Mobile Pentesting company.
  • 15. Workstation Setup:Caution  Disable Automount (file systems)  Command:gconf-editor  It is because auto mounting of file system can screw our setup and alter the evidence .  Go to apps : nautilus>preferences > remove “media _automount” and “media_automount_open”
  • 17. HARDWARE DEVICES  Cameras  Smartphones  Gamming consoles  Tablets  DECT phones  Google Tv (a Android Landline)  Smart TV’s  Car Audio Systems  Google Glasses  Smart Watch  GPS  Fridge and Washing Machine (DAFAQ)  Mirrors (you Saw it right :P) cybertecturemirror.com  a 800+ android devices
  • 18. ROM Booting process  Stock Rom varies from manufacturer to manufacturer  Acutally Phone booting process.  Short Seven ROM booting process  Power on and boot ROM code execution  The boot loader  The Linux kernel  The init process  Zygote and Dalvik  The system server  Boot completed
  • 20. Android Application Security Model  Android at the installation of the App(.apk) check for the developers unique signature. (Not CA).  Next it gives out the display of the android app file permission. The source is located in the androidmanifest.xml  This file is the potential when it comes to forensic analysis and determine the permission(malicious app).
  • 21. Application process  Quick review of the android app execution.  Even though Android apps are made in java but they are not executed in java format.  Each app gets a unique linux ID(uid) and Groud ID(gid).  Gets own dedicated process and dedicated dalvik VM.  The App Data gets stored in Data /data/data/<app process>accessible only by UID and GID.(root exceptional).  Apps can share the data with other apps using content providers.
  • 22. Some files which is useful  Cache.img :disk image of the /cache partion.  Sdcard.img:disk img of the cache partion(img here is from AVD emulator)  Userdata-emu.img: disk image of the data partion.  …. Useful in the areas of forensics
  • 23. USB connection of the evidence device  Different Devices have different options.  The common four are Charge only file transfer  Sync Internet tethering.  Check the connection to the host by typing “dmesg”.  Make sure you take care not to alter the evidence much…..
  • 25. Precautions : (must needed)  Make sure to Disable auto mount feature in ubuntu to prevent automatic detection and mounting of USB storage.  Every fragile change could lead to alteration of evidence.  Hardware write blocker useful to some extent.
  • 26. SD card info  Most of the SDCARD details are stored in /data/  App details in /data/data(it differs :P)
  • 28. Android Debug Bridge  Most important component when it comes to android forensics.  Consider it as a swiss army knife for forensics and security analystis.  Enable usb debugging developer options > usb debugging.  This will run adbd (daemon) on the devices.  Adbd runs on the user account(UID) unless promted with the root privileges.  If your device is locked then it is difficult to unlock usb debugging.(not 100% impossible)
  • 29. ADB components  Adbd on the devices.  Adbd on the workstation.  Adb on the workstation.  Adb is free,primary tool for forensics and ofcourse opensource 
  • 30. Adb shell example  Adb shell gives out lot of information(depends on root or not).  The Data folder is useful when you are rooted.
  • 31. Data from adb  Sms History (Deleted).  Contacts(com.phone.android)  Call history received,deleted,missed etc.  Databook  Events.  Calender.
  • 32. File Systems  Lot of file systems in the android operating system.  More than a dozen is in use.  The main three are EXT FAT32 YAFFs2 Source for the user data
  • 33. Data to expect in /data/data  Apps that are shipped with stock rom : browsers.  Apps that are manufacturer specific : eg : HTC sense,touchwiz,motoblur  Wireless carrier apps (not common in india) : carrier IQ  Apps installed by google default : play store,play music , maps  Apps installed by user (both marketplace and unknown source installation)
  • 34. Data Storage methods  The main methods where sensitive data stored.  Shared preferences  Internal storage  External storage  Sqlite3  Network
  • 35. Shared preferences  It is where all the data which is shared between the apps are stored.  Key values are stored in XML files 
  • 36. Internal Storage  Common in most of the systems :ext3,ext4,yaffs2  Unrooted user cannot access /data/data as it is encrypted.root is needed for viewing the contents
  • 37. Internal storage  U0_a0 is the owner means it is that user who installed the app “truecaller”.  These apps and their directories are damn useful when it comes to finding evidence.
  • 38. External Storage  It has less restrictions when compared to the internal storage.  FAT 32 is commonly found file system on the sdcard.  As suggested earlier most apps data is stored here it is better to look here.
  • 39. SQLITE3-Native app database.  Lightweight RDBMS which has the c programming library.  Entire DB stored in single file.  Most of the App developers store the database in internal memory eg /data/data/<app name>/database.
  • 40. SQLITE3-some useful commands  Sqlite3 <dbfilename>  Loads the db  .tables  Shows the tables  .headers on|off  Turns headers on/off  .mode  Output mode file type  Select * from <table>  Displays the table attirubutes  .dump?table?  Dump the table  .quit  Exit the shell prompt
  • 41. Sqlite3 datbase example  Little catch : sqlite3 is not installed in real phones by default.  For test conditions I have used avd emulator from android.  Those databases have lot of tables which can be real handy.  Some native roots have sqlite3 symlinked by default.
  • 42. Network & linux kernel     Network storage in java and android classes Not locally but on the on network and relative datbases. The least place we look at the heart:linux kernel | kernel logs. To access the kernel logs we have “dmesg” command on the adb shell  Source:andrew hoog
  • 43. Logcat  Displays almost eveything that’s been going around your device in the adb shell http://developer.android.com/tools/help/logcat.html  Has different parameters.
  • 44. Device Handling & forensic rule  The main motto:Avoid modification to evidence at all costs.  Simple mounting of device could lead to altering of evidences.  Increase the sleep timeout which could lead to locking of the device.  Logcat everything what is going on.  Make sure minimal modification to the evidence.  Enable do not sleep while charging.  Put the device on the flightmode or remove the sim card(I don’t recommend this).  Never switch off the device if it is on unlocked or on locked.  Work where no network connnectivity (REMOTE WIPE & SMS malwares to rip evidences?)
  • 45. Phone switched off? What to do?  Try to boot into the recovery~ most of the devices power+vol up +down or power + vol down and then up .  If you cant come up search xda-developers.com  Connect to adb,check for the root permission  Usb debugg enabled you are lucky or else you have find a way to remote activate usb debugg
  • 46. Enable usb debugging when locked ?? Possible
  • 47. Enable usb debugging when locked ?? Possible BST(best smart tools)
  • 49. Unlucky still? Here comes the passcodes breaking!  Very useful when it comes to forensic! Nothing beats this .  Various techniques for breaking android passcodes.  Few will be discussed here.  There is no direct rule for breaking passcodes.
  • 52. Cracking techniques  Smudge attack.  Pattern lock vulnerability.  Psneuter with adb,usb debugg(if enabled).  Cracking the password key.  Face unlock pwn with a picture.  Continues to evolve …………
  • 53. Smudge attack  Screen(digitalizer) is reflective     surface,smudge(pattern) which diffuse in the glass. Being dust particle,when exposed to light reflect them. camera setup to capture the overexposed image around 6-8 times will give a 80% correct image. It gives out the display pattern. Not always working,like playing temple run could remove the smudge totally.
  • 55. Pattern Lock crack  Pattern creates a file in /data/system/gesture.key  Hash is stored there.if custom recovery is installed like TWRP recovery,CWM recovery etc.  Remove the key using the rm command and recreate it using your own hash.
  • 56. Pattern Lock crack  Key can also be decrypted ! Some sites do give services for free.
  • 57. Cracking pins  When password/pins are used they are stored in /data/system/passwords.key  As you can see it is not in plaintext but as Random+sha1+md5.  Not easy depends on the nature of password.  Pull the salt from/data/data/com.android.providers.settings/databases/settin gs.db and get the password from above.  Put them in the folder and try to attack them in password recovery tools such as hashcat/john the ripper by bruteforcing them
  • 58. Pwn face & voice unlock      Not secure at all when google introduced it in android 4.0. Reported to unlock with the photo of the person. After kitkat android update the face unlock when to a change where the person have to unlock by blinking the eye which shows the alive ness of the captured image. Again easily broken by duck faces,smiling images from facebook :P  “In June 2013, details emerged of a Google patent, pictured, that would let users unlock their phones by pulling silly faces, such as frowning, poking out their tongue or wriggling their nose. The expression would then be scanned and compared to a previously captured photo to confirm the user's identity”- dailymail(uk). Voice can easily spoofed by old school tricks 
  • 59. Android Encryption  Encrypts the entire device with AES encryption.  Denoted to reduce in performance.  Takes at Least a Hour for Encryption of Data.
  • 60. Get fRoSted  Frost Security Team was able to break the encryption by cooling the device to -15 c in 60 minutes.  Switch off and Flash the Frost Recovery.  Not the entire AES keys are decrypted.Some bits were decayed.
  • 61.
  • 63. g0t root?  90% of forensics trick depends on the root?  Not enabled even in a single device.(unless suspect      rooted on his own). Not possible on all devices without altering the evidence. Gaining root will leave a lot of traces. Many data’s they get altered. Takes lot of time searching for the correct exploit sometimes lead to hard brick/soft brick. Root could make the device more vulnerable for future exploits.
  • 64. Types of r00t?  Temp root: gives you root access till you reboot the device.  Recovery root: custom recovery such as clockworkmod(CWW),twrp etc will give root access in the recovery.  Permanent root:install su to the system leaving a huge footprint.most custom roms have perm root by default eg:cyanogenmod,omni,panodroid etc.
  • 65. Temporary root  Temp root is something essential when it come to forensic.(z4root.apk)  Doesn’t work on all devices,test it first before using.
  • 66. Psneturer a temp root solution.  Neturer is a android server.this app exploits that server giving us a temprarory solution.  adb devices  adb push psneuter /data/local/tmp  adb shell  cd /data/local/tmp  chmod 777 psneuter  ./psneuter
  • 67. Permanent root  not good as far as forensic is concerned.  Leaves a huge footprint altering the evidence. Search xda for more roots.
  • 68. R00t with binary  Gives root to almost all the 4.0 to 4.1 devices.
  • 69. Kingo android root  This one gives root over all 4.2.x,4.3.x,4.4.x
  • 70. Android forensic techniques  Logical and physical acquisition.  Open source tools and some commerical tools. qtADB Andriller cellebrite paraben viaextract ….
  • 71. Logical vs physical Acquisition Logical physcial  Access to file systems  Exploring the  Data which is already memory,not the file system.  More data than logical,by breaking passwords etc available to user Eg:ADB pull,aflogical  Hardware and software
  • 72. Logical Sdcard anquisition  Apps Data gets stored in /data which is encrypted     and root access. SD cards where the user stuffs stays.(audio,video,maps). Uses cross platform FAT FS. Most backup stored in Sdcard. .apk’s in sdcard might be encrypted.  Useful done when 3rd party apps are analysis.
  • 74. qtADB
  • 75. AFlogical  Data Extraction tools.  Free for law enforcement agencies.  Records call logs,contact etc.  DEMO
  • 76. UFED touch ultimate  UFED Touch Ultimate, enables the most technologically advanced extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. Cost:10000$
  • 80. Andriller  A alternative and a powerful open source tool.  http://android.saz.lt/  Made by Denis Sazonov @den4uk  Give it a try you wont regret it  DEMO…………………..
  • 81. Photos  Try looking here for more evidence.
  • 82. Reversing Apk’s  Rename Android app (.apk) to .zip.  Extract zip  Run dex2jar on the extracted file.  Open the .jar in a java decompiler.  APKTOOL  Androguard  Apkinspector
  • 83. Android/Torec.A  First every Android based Tor malware which was found in the wild.  REVERSING DEMO
  • 84. Future of Android forensics  The future research work will be on the Seandroid.  Contributed by National Security Agency (NSA) *cough*  Motto to have secure android.
  • 85. Then there is ?  Ill just leave this here :P
  • 86. Wait ! Wait ? Wait ?  SeAndroid was already defeated.The CVE 2013-6282  Pau Olivia Had a POC based a toshiba tablet running 4.3 JB. 
  • 87.
  • 88. INDIAN cyberlaws  Device as target or weapon  IT act 2000  IT amendment ACT (2008)  Rules under 66A,43A,79  SECTION 65A http://www.cyberforensics.in/ http://deity.gov.in/content/cyber-laws
  • 91. Feedback welcomed :D  Twitter: https://twitter.com/security_ b0x  securitypentrator@live.com
  • 92. References:  viaforensics.com  Forensicfocus.com  cellebrite.com  android.saz.lt  exploit-db.com  www.forensicswiki.org/wiki/Cell_Phone_ Forensics  Xda-developers.com

Editor's Notes

  1. http://en.wikipedia.org/wiki/Mobile_network_operators_of_India