SlideShare a Scribd company logo

BYOM Build Your Own Methodology (in Mobile Forensics)

Reality Net System Solutions
Reality Net System Solutions

Life Has No Ctrl Alt Del Mattia Epifani

Technology
1 of 29
Download to read offline
BYOM Build Your Own Methodology (in Mobile Forensics) 24 APRIL 2020 SOMEWHERE ONLINE…
BYOM (BUILD YOUR OWN METHODOLOGY) NEEDS Knowledge Tools Training/Updates Workflow Case history Standardization
KNOWLEDGE Mobile OS Architecture (Android and iOS) Versions Security Rooting/Jailbreaking Encryption Partitions layout Cloud File system(s) EXT4 APFS exFAT FAT32 HFS+ F2FS JFFS2/YAFFS2 File format SQLite Plist XML Protobuf Realm Programming Python SQL Powershell Forensic Acquisition Methods Manual Logical Backup File System Physical Cloud
SUGGESTED READINGS MOBILE OS AND SECURITY BOOKS Android Internals by Jonathan Levin Android Security Internals by Nikolay Elenkov Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin Hacking and Securing iOS Applications by Jonathan Zdziarski The Mobile Application Hacker’s Handbook by Shaun Colley and others iOS Hacker’s Handbook by Stefen Esser and others Android Hacker’s Handbook by Joshua Drake and others Hacking Exposed Mobile by Neil Bergman and others
SUGGESTED READINGS FILE SYSTEMS File System Forensic Analysis by Brian Carrier EXT https://ext4.wiki.kernel.org/ APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
SUGGESTED READINGS FILE FORMAT SQLite Forensics by Paul Sanderson SQLite https://www.sqlite.org/ Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec Realm https://realm.io/
SUGGESTED READINGS MOBILE FORENSICS BOOKS iPhone and iOS Forensics by Andrew Hogg Android Forensics by Andrew Hogg Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik Mobile Forensics Investigations by Lee Reiber Seeking the Truth from Mobile Evidence by John Bair Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
COMMERCIAL TOOLS Mobile Forensics Tools Belkasoft Blackbag Cellebrite Elcomsoft Grayshift Guidance Mobile Forensics Tools Magnet Forensics MobilEdit MSAB Oxygen Forensics Paraben SecureView Digital Forensics Tools AccessData Guidance X-Ways Sanderson Forensic
OPEN/FREE/SHAREWARE TOOLS ADB https://developer.android.com/studio/releases/platform-tools Libimobiledevice https://www.libimobiledevice.org/ Autopsy https://www.sleuthkit.org/autopsy/ Andriller https://www.andriller.com/ APOLLO https://github.com/mac4n6/APOLLO ALEAPP https://github.com/abrignoni/ALEAPP iLEAPP https://github.com/abrignoni/iLEAPP iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm ArtEx https://www.doubleblak.com/software.php?app=ArtEx MobileRevelator https://github.com/bkerler/MR
TOOLS FOR SPECIFIC FILE FORMAT Plist Editor Pro https://www.icopybot.com/plist-editor.htm DB Browser for SQLite https://sqlitebrowser.org/ Realm Studio https://realm.io/products/realm-studio/ SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts MobileRevelator https://github.com/bkerler/MR
HARDWARE Flasher Boxes Octoplus Pro Box Z3X Box Furious Gold ORT Box ATF Box Flasher Boxes Medusa Pro Chimera Tool NCK Dongle UFS Turbo Box Miracle Box Unlocking Tools XPIN Clip MFC Dongle BST Dongle Others Faraday Bags VR-Table Coded
Mobile Device Forensics and Analysis (MDFA) Digital Forensics Discord Group XDA Developers Online Meetings COMMUNITY
This Week in 4N6 https://thisweekin4n6.com/ About DFIR https://aboutdfir.com/ DFIR Training https://www.dfir.training/ Forensic Focus https://www.forensicfocus.com/ UPDATES
Sarah Edwards https://www.mac4n6.com Heather Mahalik https://smarterforensics.com Mattia Epifani http://mattiaep.blogspot.com Adrian Leong http://cheeky4n6monkey.blogspot.com Alexis Brignoni https://abrignoni.blogspot.com Jon B https://www.ciofecaforensics.com Mari DeGrazia http://az4n6.blogspot.com Andrew Hoog https://www.hack42labs.com Ian Whiffin http://doubleblak.com/blogs.php Josh Hickman https://thebinaryhick.blog BLOGS
SANS FOR 585 Smartphone Forensic Analysis In-Depth Vendor training • https://articles.forensicfocus.com/2020/04/13/industry- roundup-online-digital-forensics-training/ TRAINING
WORKFLOW https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf
BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION, PRESERVATION AND ACQUISTION https://www.swgde.org/
INTAKE Is it turned on or off? (If it is on) Is it disconnected from external networks? (If it is on) Is it protected with a passcode/pattern lock? External physical state? (Ok/Broken/Damaged/Destroyed) When was the device seized? Did the user/suspect provided any code? Does it contain SIM Card(s) and/or SD Card(s)?
IDENTIFICATION First step: what is that?? Some methods to identify devices • IMEI • Model number • Serial number Where/how to find the IMEI number? • Packaging box • Rear of the device • Under the battery • In the SIM card tray • *#06# • Android Settings -> About Phone -> Status -> IMEI Information • iPhone Settings -> General -> IMEI
IDENTIFICATION Check device information http://www.imei.info/ https://numberingplans.com/ http://phonedb.net/ http://www.imeipro.info/ Check device warranty status Samsung https://support- ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo Apple https://checkcoverage.apple.com/ Huawei https://consumer.huawei.com/us/support/warranty-query/ Oppo https://oppo-au.custhelp.com/app/products/warranty_status Xiaomi https://www.mi.com/en/verify/#/en/tab/imei Lenovo/Motorola https://support.lenovo.com/warrantylookup
IDENTIFICATION (IMEI.INFO)
PREPARATION DEFINE THE EXTRACTION METHOD Check your «Case History» [NEXT SLIDE] Check what was requested during the intake •If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything? Check support by your Mobile Forensics Toolkit(s) Ask the community Check for custom recoveries/engineering bootloader/flasher boxes Verify support by specific external services Identify specific vulnerabilities A physical approach is feasible? Think outside the box… •Cloud •Local backup •Provider requests •Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
CASE HISTORY Start building it ASAP! Learn from your experience and errors • When • Device brand and model • Device chipset brand and model • Used tool / tecnhique • Obtained acquisition • Lock bypass (yes/no) • Encryption (yes/no) • Case reference • Person • Result • Notes
CHECK SUPPORT BY TOOLS https://www.digitalforensiccompass.com/
ANALYSIS Parsing with different tools has pros and cons ☺ Pros • Different support for different OS/Apps • Verifying the results Cons • Processing time • Duplication • Cost Often you need to add manual parsing and investigation! • SQL queries • Parsing scripts
ANALYSIS
ANALYSIS
STANDARDIZATION Cyber-investigation Analysis Standard Expression (CASE) is a community-developed specification language https://caseontology.org/ It is intended to serve the needs of the broadest possible range of cyber-investigation domains, including digital forensic science The primary motivation for CASE is interoperability - to advance the exchange of cyber-investigation information between tools and organizations.
CREDITS AND CONTACTS @RN Team Mattia Epifani Francesco Picasso Claudia Meda Fabio Massimo Ceccarelli mattia.epifani@realitynet.it @mattiaep

Recommended

The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device SecurityQuick Heal Technologies Ltd.
 
Fundamentals of Mobile App Development Technology
Fundamentals of Mobile App Development TechnologyFundamentals of Mobile App Development Technology
Fundamentals of Mobile App Development TechnologyOrchestrate Mortgage and Title Solutions, LLC
 
My darkweb-presentation
My darkweb-presentationMy darkweb-presentation
My darkweb-presentationPaul Wilson
 
Ios seminar
Ios seminarIos seminar
Ios seminarKurikkal Ashique
 
Common malware and countermeasures
Common malware and countermeasuresCommon malware and countermeasures
Common malware and countermeasuresNoushin Ahson
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityNemwos
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 

Recommended

The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device SecurityQuick Heal Technologies Ltd.
 
Fundamentals of Mobile App Development Technology
Fundamentals of Mobile App Development TechnologyFundamentals of Mobile App Development Technology
Fundamentals of Mobile App Development TechnologyOrchestrate Mortgage and Title Solutions, LLC
 
My darkweb-presentation
My darkweb-presentationMy darkweb-presentation
My darkweb-presentationPaul Wilson
 
Ios seminar
Ios seminarIos seminar
Ios seminarKurikkal Ashique
 
Common malware and countermeasures
Common malware and countermeasuresCommon malware and countermeasures
Common malware and countermeasuresNoushin Ahson
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityNemwos
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
PPT on iOS
PPT on iOS PPT on iOS
PPT on iOS Ravi Ranjan
 
Voice interfaces
Voice interfacesVoice interfaces
Voice interfacesSam Machin
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with MetasploitPrakashchand Suthar
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptxSecurity Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptxVikas Singh Yadav
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Building your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchBuilding your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchJay Turla
 
iOS PPT
iOS PPTiOS PPT
iOS PPTSarika Naidu
 
Mobile IP Presentation
Mobile IP Presentation Mobile IP Presentation
Mobile IP Presentation Er. Rahul Jain
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Ios vs android
Ios vs androidIos vs android
Ios vs androidDawood University of Engineering and Technology
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
IOS security
IOS securityIOS security
IOS securitybakhti rahman
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 

More Related Content

What's hot

Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Voice interfaces
Voice interfacesVoice interfaces
Voice interfacesSam Machin
 
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptxSecurity Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptxVikas Singh Yadav
 
Building your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchBuilding your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchJay Turla
 
Mobile IP Presentation
Mobile IP Presentation Mobile IP Presentation
Mobile IP Presentation Er. Rahul Jain
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 

What's hot (20)

Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
PPT on iOS
PPT on iOS PPT on iOS
PPT on iOS
 
Voice interfaces
Voice interfacesVoice interfaces
Voice interfaces
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptxSecurity Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Building your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from ScratchBuilding your Car Hacking Labs & Car Hacking Community from Scratch
Building your Car Hacking Labs & Car Hacking Community from Scratch
 
iOS PPT
iOS PPTiOS PPT
iOS PPT
 
Mobile IP Presentation
Mobile IP Presentation Mobile IP Presentation
Mobile IP Presentation
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Ios vs android
Ios vs androidIos vs android
Ios vs android
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research Sources
 
IOS security
IOS securityIOS security
IOS security
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 

Similar to BYOM Build Your Own Methodology (in Mobile Forensics)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
 
Apache mobilefilter 4-03
Apache mobilefilter 4-03Apache mobilefilter 4-03
Apache mobilefilter 4-03Idel Fuschini
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? Blueboxer2014
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaChristian Heilmann
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash DevelopmentStephen Chin
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesReality Net System Solutions
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioCreate Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioGuilhem Ensuque
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And SecurityJames Wernicke
 

Similar to BYOM Build Your Own Methodology (in Mobile Forensics) (20)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Building aosp
Building aospBuilding aosp
Building aosp
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Apache mobilefilter 4-03
Apache mobilefilter 4-03Apache mobilefilter 4-03
Apache mobilefilter 4-03
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World Romania
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash Development
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
Lange
LangeLange
Lange
 
Mobile security
Mobile securityMobile security
Mobile security
 
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioCreate Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
 

More from Reality Net System Solutions

iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 

More from Reality Net System Solutions (11)

Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 

BYOM Build Your Own Methodology (in Mobile Forensics)

  • 1. BYOM Build Your Own Methodology (in Mobile Forensics) 24 APRIL 2020 SOMEWHERE ONLINE…
  • 2. BYOM (BUILD YOUR OWN METHODOLOGY) NEEDS Knowledge Tools Training/Updates Workflow Case history Standardization
  • 3. KNOWLEDGE Mobile OS Architecture (Android and iOS) Versions Security Rooting/Jailbreaking Encryption Partitions layout Cloud File system(s) EXT4 APFS exFAT FAT32 HFS+ F2FS JFFS2/YAFFS2 File format SQLite Plist XML Protobuf Realm Programming Python SQL Powershell Forensic Acquisition Methods Manual Logical Backup File System Physical Cloud
  • 4. SUGGESTED READINGS MOBILE OS AND SECURITY BOOKS Android Internals by Jonathan Levin Android Security Internals by Nikolay Elenkov Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin Hacking and Securing iOS Applications by Jonathan Zdziarski The Mobile Application Hacker’s Handbook by Shaun Colley and others iOS Hacker’s Handbook by Stefen Esser and others Android Hacker’s Handbook by Joshua Drake and others Hacking Exposed Mobile by Neil Bergman and others
  • 5. SUGGESTED READINGS FILE SYSTEMS File System Forensic Analysis by Brian Carrier EXT https://ext4.wiki.kernel.org/ APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
  • 6. SUGGESTED READINGS FILE FORMAT SQLite Forensics by Paul Sanderson SQLite https://www.sqlite.org/ Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec Realm https://realm.io/
  • 7. SUGGESTED READINGS MOBILE FORENSICS BOOKS iPhone and iOS Forensics by Andrew Hogg Android Forensics by Andrew Hogg Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik Mobile Forensics Investigations by Lee Reiber Seeking the Truth from Mobile Evidence by John Bair Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
  • 8. COMMERCIAL TOOLS Mobile Forensics Tools Belkasoft Blackbag Cellebrite Elcomsoft Grayshift Guidance Mobile Forensics Tools Magnet Forensics MobilEdit MSAB Oxygen Forensics Paraben SecureView Digital Forensics Tools AccessData Guidance X-Ways Sanderson Forensic
  • 9. OPEN/FREE/SHAREWARE TOOLS ADB https://developer.android.com/studio/releases/platform-tools Libimobiledevice https://www.libimobiledevice.org/ Autopsy https://www.sleuthkit.org/autopsy/ Andriller https://www.andriller.com/ APOLLO https://github.com/mac4n6/APOLLO ALEAPP https://github.com/abrignoni/ALEAPP iLEAPP https://github.com/abrignoni/iLEAPP iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm ArtEx https://www.doubleblak.com/software.php?app=ArtEx MobileRevelator https://github.com/bkerler/MR
  • 10. TOOLS FOR SPECIFIC FILE FORMAT Plist Editor Pro https://www.icopybot.com/plist-editor.htm DB Browser for SQLite https://sqlitebrowser.org/ Realm Studio https://realm.io/products/realm-studio/ SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts MobileRevelator https://github.com/bkerler/MR
  • 11. HARDWARE Flasher Boxes Octoplus Pro Box Z3X Box Furious Gold ORT Box ATF Box Flasher Boxes Medusa Pro Chimera Tool NCK Dongle UFS Turbo Box Miracle Box Unlocking Tools XPIN Clip MFC Dongle BST Dongle Others Faraday Bags VR-Table Coded
  • 12. Mobile Device Forensics and Analysis (MDFA) Digital Forensics Discord Group XDA Developers Online Meetings COMMUNITY
  • 13. This Week in 4N6 https://thisweekin4n6.com/ About DFIR https://aboutdfir.com/ DFIR Training https://www.dfir.training/ Forensic Focus https://www.forensicfocus.com/ UPDATES
  • 14. Sarah Edwards https://www.mac4n6.com Heather Mahalik https://smarterforensics.com Mattia Epifani http://mattiaep.blogspot.com Adrian Leong http://cheeky4n6monkey.blogspot.com Alexis Brignoni https://abrignoni.blogspot.com Jon B https://www.ciofecaforensics.com Mari DeGrazia http://az4n6.blogspot.com Andrew Hoog https://www.hack42labs.com Ian Whiffin http://doubleblak.com/blogs.php Josh Hickman https://thebinaryhick.blog BLOGS
  • 15. SANS FOR 585 Smartphone Forensic Analysis In-Depth Vendor training • https://articles.forensicfocus.com/2020/04/13/industry- roundup-online-digital-forensics-training/ TRAINING
  • 17. BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION, PRESERVATION AND ACQUISTION https://www.swgde.org/
  • 18. INTAKE Is it turned on or off? (If it is on) Is it disconnected from external networks? (If it is on) Is it protected with a passcode/pattern lock? External physical state? (Ok/Broken/Damaged/Destroyed) When was the device seized? Did the user/suspect provided any code? Does it contain SIM Card(s) and/or SD Card(s)?
  • 19. IDENTIFICATION First step: what is that?? Some methods to identify devices • IMEI • Model number • Serial number Where/how to find the IMEI number? • Packaging box • Rear of the device • Under the battery • In the SIM card tray • *#06# • Android Settings -> About Phone -> Status -> IMEI Information • iPhone Settings -> General -> IMEI
  • 20. IDENTIFICATION Check device information http://www.imei.info/ https://numberingplans.com/ http://phonedb.net/ http://www.imeipro.info/ Check device warranty status Samsung https://support- ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo Apple https://checkcoverage.apple.com/ Huawei https://consumer.huawei.com/us/support/warranty-query/ Oppo https://oppo-au.custhelp.com/app/products/warranty_status Xiaomi https://www.mi.com/en/verify/#/en/tab/imei Lenovo/Motorola https://support.lenovo.com/warrantylookup
  • 22. PREPARATION DEFINE THE EXTRACTION METHOD Check your «Case History» [NEXT SLIDE] Check what was requested during the intake •If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything? Check support by your Mobile Forensics Toolkit(s) Ask the community Check for custom recoveries/engineering bootloader/flasher boxes Verify support by specific external services Identify specific vulnerabilities A physical approach is feasible? Think outside the box… •Cloud •Local backup •Provider requests •Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
  • 23. CASE HISTORY Start building it ASAP! Learn from your experience and errors • When • Device brand and model • Device chipset brand and model • Used tool / tecnhique • Obtained acquisition • Lock bypass (yes/no) • Encryption (yes/no) • Case reference • Person • Result • Notes
  • 24. CHECK SUPPORT BY TOOLS https://www.digitalforensiccompass.com/
  • 25. ANALYSIS Parsing with different tools has pros and cons ☺ Pros • Different support for different OS/Apps • Verifying the results Cons • Processing time • Duplication • Cost Often you need to add manual parsing and investigation! • SQL queries • Parsing scripts
  • 28. STANDARDIZATION Cyber-investigation Analysis Standard Expression (CASE) is a community-developed specification language https://caseontology.org/ It is intended to serve the needs of the broadest possible range of cyber-investigation domains, including digital forensic science The primary motivation for CASE is interoperability - to advance the exchange of cyber-investigation information between tools and organizations.
  • 29. CREDITS AND CONTACTS @RN Team Mattia Epifani Francesco Picasso Claudia Meda Fabio Massimo Ceccarelli mattia.epifani@realitynet.it @mattiaep