SlideShare a Scribd company logo
BYOM
Build Your Own Methodology
(in Mobile Forensics)
24 APRIL 2020
SOMEWHERE ONLINE…
BYOM (BUILD YOUR OWN METHODOLOGY)
NEEDS
Knowledge Tools Training/Updates
Workflow Case history Standardization
KNOWLEDGE
Mobile OS
Architecture
(Android and iOS)
Versions
Security
Rooting/Jailbreaking
Encryption
Partitions layout
Cloud
File system(s)
EXT4
APFS
exFAT
FAT32
HFS+
F2FS
JFFS2/YAFFS2
File format
SQLite
Plist
XML
Protobuf
Realm
Programming
Python
SQL
Powershell
Forensic
Acquisition
Methods
Manual
Logical
Backup
File System
Physical
Cloud
SUGGESTED READINGS
MOBILE OS AND SECURITY BOOKS
Android Internals by Jonathan Levin
Android Security Internals by Nikolay Elenkov
Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin
Hacking and Securing iOS Applications by Jonathan Zdziarski
The Mobile Application Hacker’s Handbook by Shaun Colley and others
iOS Hacker’s Handbook by Stefen Esser and others
Android Hacker’s Handbook by Joshua Drake and others
Hacking Exposed Mobile by Neil Bergman and others
SUGGESTED READINGS
FILE SYSTEMS
File System Forensic Analysis by Brian Carrier
EXT https://ext4.wiki.kernel.org/
APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification
FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf
HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
SUGGESTED READINGS
FILE FORMAT
SQLite Forensics by Paul Sanderson
SQLite https://www.sqlite.org/
Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html
Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec
Realm https://realm.io/
SUGGESTED READINGS
MOBILE FORENSICS BOOKS
iPhone and iOS Forensics by Andrew Hogg
Android Forensics by Andrew Hogg
Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik
Mobile Forensics Investigations by Lee Reiber
Seeking the Truth from Mobile Evidence by John Bair
Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov
Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall
Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
COMMERCIAL TOOLS
Mobile
Forensics Tools
Belkasoft
Blackbag
Cellebrite
Elcomsoft
Grayshift
Guidance
Mobile
Forensics Tools
Magnet Forensics
MobilEdit
MSAB
Oxygen Forensics
Paraben
SecureView
Digital
Forensics Tools
AccessData
Guidance
X-Ways
Sanderson Forensic
OPEN/FREE/SHAREWARE TOOLS
ADB https://developer.android.com/studio/releases/platform-tools
Libimobiledevice https://www.libimobiledevice.org/
Autopsy https://www.sleuthkit.org/autopsy/
Andriller https://www.andriller.com/
APOLLO https://github.com/mac4n6/APOLLO
ALEAPP https://github.com/abrignoni/ALEAPP
iLEAPP https://github.com/abrignoni/iLEAPP
iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm
ArtEx https://www.doubleblak.com/software.php?app=ArtEx
MobileRevelator https://github.com/bkerler/MR
TOOLS FOR SPECIFIC FILE FORMAT
Plist Editor Pro https://www.icopybot.com/plist-editor.htm
DB Browser for SQLite https://sqlitebrowser.org/
Realm Studio https://realm.io/products/realm-studio/
SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner
SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
MobileRevelator https://github.com/bkerler/MR
HARDWARE
Flasher
Boxes
Octoplus Pro Box
Z3X Box
Furious Gold
ORT Box
ATF Box
Flasher
Boxes
Medusa Pro
Chimera Tool
NCK Dongle
UFS Turbo Box
Miracle Box
Unlocking
Tools
XPIN Clip
MFC Dongle
BST Dongle
Others
Faraday Bags
VR-Table
Coded
Mobile Device Forensics and Analysis (MDFA)
Digital Forensics Discord Group
XDA Developers
Online Meetings
COMMUNITY
This Week in 4N6 https://thisweekin4n6.com/
About DFIR https://aboutdfir.com/
DFIR Training https://www.dfir.training/
Forensic Focus https://www.forensicfocus.com/
UPDATES
Sarah Edwards https://www.mac4n6.com
Heather Mahalik https://smarterforensics.com
Mattia Epifani http://mattiaep.blogspot.com
Adrian Leong http://cheeky4n6monkey.blogspot.com
Alexis Brignoni https://abrignoni.blogspot.com
Jon B https://www.ciofecaforensics.com
Mari DeGrazia http://az4n6.blogspot.com
Andrew Hoog https://www.hack42labs.com
Ian Whiffin http://doubleblak.com/blogs.php
Josh Hickman https://thebinaryhick.blog
BLOGS
SANS FOR 585
Smartphone Forensic Analysis In-Depth
Vendor training
• https://articles.forensicfocus.com/2020/04/13/industry-
roundup-online-digital-forensics-training/
TRAINING
WORKFLOW
https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf
BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION,
PRESERVATION AND ACQUISTION
https://www.swgde.org/
INTAKE
Is it turned on or off?
(If it is on) Is it disconnected from external networks?
(If it is on) Is it protected with a passcode/pattern lock?
External physical state? (Ok/Broken/Damaged/Destroyed)
When was the device seized?
Did the user/suspect provided any code?
Does it contain SIM Card(s) and/or SD Card(s)?
IDENTIFICATION
First step: what is that??
Some methods to identify devices
• IMEI
• Model number
• Serial number
Where/how to find the IMEI number?
• Packaging box
• Rear of the device
• Under the battery
• In the SIM card tray
• *#06#
• Android Settings -> About Phone -> Status -> IMEI Information
• iPhone Settings -> General -> IMEI
IDENTIFICATION
Check device
information
http://www.imei.info/
https://numberingplans.com/
http://phonedb.net/
http://www.imeipro.info/
Check device
warranty status
Samsung
https://support-
ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo
Apple
https://checkcoverage.apple.com/
Huawei
https://consumer.huawei.com/us/support/warranty-query/
Oppo
https://oppo-au.custhelp.com/app/products/warranty_status
Xiaomi
https://www.mi.com/en/verify/#/en/tab/imei
Lenovo/Motorola
https://support.lenovo.com/warrantylookup
IDENTIFICATION (IMEI.INFO)
PREPARATION
DEFINE THE EXTRACTION METHOD
Check your «Case History» [NEXT SLIDE]
Check what was requested during the intake
•If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything?
Check support by your Mobile Forensics Toolkit(s)
Ask the community
Check for custom recoveries/engineering bootloader/flasher boxes
Verify support by specific external services
Identify specific vulnerabilities
A physical approach is feasible?
Think outside the box…
•Cloud
•Local backup
•Provider requests
•Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
CASE HISTORY
Start building it ASAP!
Learn from your experience and errors
• When
• Device brand and model
• Device chipset brand and model
• Used tool / tecnhique
• Obtained acquisition
• Lock bypass (yes/no)
• Encryption (yes/no)
• Case reference
• Person
• Result
• Notes
CHECK SUPPORT BY TOOLS
https://www.digitalforensiccompass.com/
ANALYSIS
Parsing with different tools has pros and cons ☺
Pros
• Different support for different OS/Apps
• Verifying the results
Cons
• Processing time
• Duplication
• Cost
Often you need to add manual parsing and investigation!
• SQL queries
• Parsing scripts
ANALYSIS
ANALYSIS
STANDARDIZATION
Cyber-investigation Analysis Standard Expression
(CASE) is a community-developed specification
language
https://caseontology.org/
It is intended to serve the needs of the broadest
possible range of cyber-investigation domains,
including digital forensic science
The primary motivation for CASE is interoperability -
to advance the exchange of cyber-investigation
information between tools and organizations.
CREDITS AND CONTACTS
@RN Team
Mattia Epifani
Francesco Picasso
Claudia Meda
Fabio Massimo Ceccarelli
mattia.epifani@realitynet.it
@mattiaep

More Related Content

What's hot

Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
saddamhusain hadimani
 
Memory Forensics
Memory ForensicsMemory Forensics
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
CEHv9 : module 15 - hacking mobile platforms
CEHv9 : module 15 - hacking mobile platformsCEHv9 : module 15 - hacking mobile platforms
CEHv9 : module 15 - hacking mobile platforms
teknetir
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
Nikhil Mashruwala
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 

What's hot (20)

Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
CEHv9 : module 15 - hacking mobile platforms
CEHv9 : module 15 - hacking mobile platformsCEHv9 : module 15 - hacking mobile platforms
CEHv9 : module 15 - hacking mobile platforms
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 

Similar to BYOM Build Your Own Methodology (in Mobile Forensics)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
Brent Muir
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
Subho Halder
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Building aosp
Building aospBuilding aosp
Building aosp
gvercoutere
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
Apache mobilefilter 4-03
Apache mobilefilter 4-03Apache mobilefilter 4-03
Apache mobilefilter 4-03
Idel Fuschini
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
Blueboxer2014
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Ammar WK
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World Romania
Christian Heilmann
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
Jimmy Software
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash Development
Stephen Chin
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
Reality Net System Solutions
 
Lange
LangeLange
Mobile security
Mobile securityMobile security
Mobile security
Stefaan
 
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioCreate Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Guilhem Ensuque
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
James Wernicke
 

Similar to BYOM Build Your Own Methodology (in Mobile Forensics) (20)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Building aosp
Building aospBuilding aosp
Building aosp
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Apache mobilefilter 4-03
Apache mobilefilter 4-03Apache mobilefilter 4-03
Apache mobilefilter 4-03
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World Romania
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash Development
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
Lange
LangeLange
Lange
 
Mobile security
Mobile securityMobile security
Mobile security
 
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioCreate Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
 

More from Reality Net System Solutions

Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
Reality Net System Solutions
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
Reality Net System Solutions
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
Reality Net System Solutions
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
Reality Net System Solutions
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
Reality Net System Solutions
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
Reality Net System Solutions
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
Reality Net System Solutions
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
Reality Net System Solutions
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
Reality Net System Solutions
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Reality Net System Solutions
 

More from Reality Net System Solutions (10)

Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 

Recently uploaded

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
saastr
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 

Recently uploaded (20)

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 

BYOM Build Your Own Methodology (in Mobile Forensics)

  • 1. BYOM Build Your Own Methodology (in Mobile Forensics) 24 APRIL 2020 SOMEWHERE ONLINE…
  • 2. BYOM (BUILD YOUR OWN METHODOLOGY) NEEDS Knowledge Tools Training/Updates Workflow Case history Standardization
  • 3. KNOWLEDGE Mobile OS Architecture (Android and iOS) Versions Security Rooting/Jailbreaking Encryption Partitions layout Cloud File system(s) EXT4 APFS exFAT FAT32 HFS+ F2FS JFFS2/YAFFS2 File format SQLite Plist XML Protobuf Realm Programming Python SQL Powershell Forensic Acquisition Methods Manual Logical Backup File System Physical Cloud
  • 4. SUGGESTED READINGS MOBILE OS AND SECURITY BOOKS Android Internals by Jonathan Levin Android Security Internals by Nikolay Elenkov Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin Hacking and Securing iOS Applications by Jonathan Zdziarski The Mobile Application Hacker’s Handbook by Shaun Colley and others iOS Hacker’s Handbook by Stefen Esser and others Android Hacker’s Handbook by Joshua Drake and others Hacking Exposed Mobile by Neil Bergman and others
  • 5. SUGGESTED READINGS FILE SYSTEMS File System Forensic Analysis by Brian Carrier EXT https://ext4.wiki.kernel.org/ APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
  • 6. SUGGESTED READINGS FILE FORMAT SQLite Forensics by Paul Sanderson SQLite https://www.sqlite.org/ Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec Realm https://realm.io/
  • 7. SUGGESTED READINGS MOBILE FORENSICS BOOKS iPhone and iOS Forensics by Andrew Hogg Android Forensics by Andrew Hogg Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik Mobile Forensics Investigations by Lee Reiber Seeking the Truth from Mobile Evidence by John Bair Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
  • 8. COMMERCIAL TOOLS Mobile Forensics Tools Belkasoft Blackbag Cellebrite Elcomsoft Grayshift Guidance Mobile Forensics Tools Magnet Forensics MobilEdit MSAB Oxygen Forensics Paraben SecureView Digital Forensics Tools AccessData Guidance X-Ways Sanderson Forensic
  • 9. OPEN/FREE/SHAREWARE TOOLS ADB https://developer.android.com/studio/releases/platform-tools Libimobiledevice https://www.libimobiledevice.org/ Autopsy https://www.sleuthkit.org/autopsy/ Andriller https://www.andriller.com/ APOLLO https://github.com/mac4n6/APOLLO ALEAPP https://github.com/abrignoni/ALEAPP iLEAPP https://github.com/abrignoni/iLEAPP iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm ArtEx https://www.doubleblak.com/software.php?app=ArtEx MobileRevelator https://github.com/bkerler/MR
  • 10. TOOLS FOR SPECIFIC FILE FORMAT Plist Editor Pro https://www.icopybot.com/plist-editor.htm DB Browser for SQLite https://sqlitebrowser.org/ Realm Studio https://realm.io/products/realm-studio/ SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts MobileRevelator https://github.com/bkerler/MR
  • 11. HARDWARE Flasher Boxes Octoplus Pro Box Z3X Box Furious Gold ORT Box ATF Box Flasher Boxes Medusa Pro Chimera Tool NCK Dongle UFS Turbo Box Miracle Box Unlocking Tools XPIN Clip MFC Dongle BST Dongle Others Faraday Bags VR-Table Coded
  • 12. Mobile Device Forensics and Analysis (MDFA) Digital Forensics Discord Group XDA Developers Online Meetings COMMUNITY
  • 13. This Week in 4N6 https://thisweekin4n6.com/ About DFIR https://aboutdfir.com/ DFIR Training https://www.dfir.training/ Forensic Focus https://www.forensicfocus.com/ UPDATES
  • 14. Sarah Edwards https://www.mac4n6.com Heather Mahalik https://smarterforensics.com Mattia Epifani http://mattiaep.blogspot.com Adrian Leong http://cheeky4n6monkey.blogspot.com Alexis Brignoni https://abrignoni.blogspot.com Jon B https://www.ciofecaforensics.com Mari DeGrazia http://az4n6.blogspot.com Andrew Hoog https://www.hack42labs.com Ian Whiffin http://doubleblak.com/blogs.php Josh Hickman https://thebinaryhick.blog BLOGS
  • 15. SANS FOR 585 Smartphone Forensic Analysis In-Depth Vendor training • https://articles.forensicfocus.com/2020/04/13/industry- roundup-online-digital-forensics-training/ TRAINING
  • 17. BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION, PRESERVATION AND ACQUISTION https://www.swgde.org/
  • 18. INTAKE Is it turned on or off? (If it is on) Is it disconnected from external networks? (If it is on) Is it protected with a passcode/pattern lock? External physical state? (Ok/Broken/Damaged/Destroyed) When was the device seized? Did the user/suspect provided any code? Does it contain SIM Card(s) and/or SD Card(s)?
  • 19. IDENTIFICATION First step: what is that?? Some methods to identify devices • IMEI • Model number • Serial number Where/how to find the IMEI number? • Packaging box • Rear of the device • Under the battery • In the SIM card tray • *#06# • Android Settings -> About Phone -> Status -> IMEI Information • iPhone Settings -> General -> IMEI
  • 20. IDENTIFICATION Check device information http://www.imei.info/ https://numberingplans.com/ http://phonedb.net/ http://www.imeipro.info/ Check device warranty status Samsung https://support- ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo Apple https://checkcoverage.apple.com/ Huawei https://consumer.huawei.com/us/support/warranty-query/ Oppo https://oppo-au.custhelp.com/app/products/warranty_status Xiaomi https://www.mi.com/en/verify/#/en/tab/imei Lenovo/Motorola https://support.lenovo.com/warrantylookup
  • 22. PREPARATION DEFINE THE EXTRACTION METHOD Check your «Case History» [NEXT SLIDE] Check what was requested during the intake •If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything? Check support by your Mobile Forensics Toolkit(s) Ask the community Check for custom recoveries/engineering bootloader/flasher boxes Verify support by specific external services Identify specific vulnerabilities A physical approach is feasible? Think outside the box… •Cloud •Local backup •Provider requests •Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
  • 23. CASE HISTORY Start building it ASAP! Learn from your experience and errors • When • Device brand and model • Device chipset brand and model • Used tool / tecnhique • Obtained acquisition • Lock bypass (yes/no) • Encryption (yes/no) • Case reference • Person • Result • Notes
  • 24. CHECK SUPPORT BY TOOLS https://www.digitalforensiccompass.com/
  • 25. ANALYSIS Parsing with different tools has pros and cons ☺ Pros • Different support for different OS/Apps • Verifying the results Cons • Processing time • Duplication • Cost Often you need to add manual parsing and investigation! • SQL queries • Parsing scripts
  • 28. STANDARDIZATION Cyber-investigation Analysis Standard Expression (CASE) is a community-developed specification language https://caseontology.org/ It is intended to serve the needs of the broadest possible range of cyber-investigation domains, including digital forensic science The primary motivation for CASE is interoperability - to advance the exchange of cyber-investigation information between tools and organizations.
  • 29. CREDITS AND CONTACTS @RN Team Mattia Epifani Francesco Picasso Claudia Meda Fabio Massimo Ceccarelli mattia.epifani@realitynet.it @mattiaep