SlideShare a Scribd company logo

Tisa mobile forensic

Prathan Phongthiproek
Prathan Phongthiproek

IOS Forensic

Technology
1 of 48
Download to read offline
Mobile/Smart Phone Forensic Watcharaphon Wongaphai Senior Information Security Instructor GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F ACIS Professional Center
Outline 1)  Introduction to Mobile Forensic! 2)  Forensic Analysis of iphone! -  JailBroken! -  iTune Backup files!
Forensic Soundness •  What did it mean for disk forensics?! •  Does it mean the same thing?! •  Mobile devices are volatile, by nature! –  Real time clock changing in memory all the time! –  Acquiring SMS messages may change their status to “Read”! –  Some tools run code on the device itself!! •  Our goal is to change as little as possible! –  Perhaps disable automatic sync when using Blackberry Desktop Manager, and disable conversion to local time in ABC Amber Converter!
Evidence Take-In and Chain of Custody •  Document the scene! –  Handle with care, and gloves!! –  For the Chain of Custody form, find the serial number! –  Don’t forget MicroSD cards!! –  Photograph the device where it is found! –  Document what is showing on the screen, if anything! –  Power concerns! –  Take cables and documentation!
Blocking Network Connectivity •  Disable the radio! –  How can you be sure it’s disabled?! •  Faraday isolation! –  Not all products are created equal!!! –  Usually causes the battery to be depleted more quickly! •  Use a “safe” SIM card! •  Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity! •  Exercise: Disable network connectivity on your own phone.!
! •  What! –  Phone call database! –  E-mail and memos! –  SMS/MMS! –  Internet and LAN access! –  Visited URLs and saved pages! •  Where! –  Location information!
! •  Who! –  Owner details and user accounts! –  Contacts and cohorts! –  Personalizations (wallpaper, ringtones)! •  When! –  Calendar items! –  File system metadata! –  Timestamps may not be immediately visible!
Messaging •  Short message service (SMS)! •  Multimedia message service (MMS)! •  Instant messaging! •  Blackberry! –  PIN messages! –  Blackberry IM!
Internet Activities •  Downloaded images and web pages! •  Email! •  Visited URLs! •  History log! •  Browser cache!
Location Tracking •  Location-based applications! –  Loopt! –  Google Latitude! –  Yahoo! Fire Eagle! –  Citysense! –  LifeBlog! –  Facebook (Friends on Fire)! –  Foursqare! –  Twitter!
GPS Embedded in Photos •  GPS coordinates embedded in Exif! •  Same Exif we talked about for disk forensics! •  This is often automatically added if the phone is GPS aware.!
Think Outside the Device •  Past usage information! –  Network service provider records! –  Look for paper bills! •  Detailed history of usage! –  Date and duration of calls! –  Numbers called! –  SMS message sent (no content retained)! •  NSP maintains detailed records! –  Calling IMSI and IMEI! –  Called IMSI and IMEI! –  Location: first and last cell! –  Charging details!
Iphone Forensic with Jailbroken
Zdziarski Technique •  Step by Step! SSH Connection •  Jailbreak! •  Forensic Acquisition! •  SSH! •  Create image by using dd command! •  Transfer image using netcat! DD image via Netcat •  Use scalpel to carving data!
Zdziarski Technique •  Example Command! andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2 root@192.168.0.2′s password: -sh-3.2# cd / -sh-3.2# umount -f /private/var -sh-3.2# mount -o ro /private/var -sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc 192.168.0.1 7000 andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./ rdisk0s2 bs=4096
Bypass Passcode
DiskAid
iPhone Explorer
iPhone Explorer Delete this file for bypass passcode
iPhone System path
What can be recovered ?
Contact
Calendar Event
SMS
Facebook Application
Geo-location Cache
Geo-location Cache
Geo-location Cache
Geo-location Cache
Iphone Forensic with iTune Backup files
SYNC and Backup •  After activation, when the iPhone is connected to the computer a sync will be conducted! •  The user can define what is to be Synced to include:! •  Music! •  Photos! •  Ringtones! •  Contacts & Calendars! •  Podcasts! •  Video! •  Third party applications! •  Third party applications can initiate the use of the iPhone as a file storage device!
SYNC and Backup •  Backup data location! •  Windows XP! •  C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! •  Windows 7! •  C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! •  Mac OS X! •  /Users/(username)/Library/Application Support/MobileSync/Backup/!
SYNC and Backup •  Backup folder files! •  Many .mdbackup files! •  The name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file! •  Status.plist! •  Status of last sync! •  Manifest.plist! •  List of all files backed up, modification time and hash signature! •  Info.plist! •  Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
.mdbackup files •  Safari History & Bookmarks! •  Photos (phone & synced iPhoto)! •  Sent & Received SMS! •  Calendar Events! •  Notes! •  Address Book Entries! •  Call History! •  Cookies! •  Google Map History! •  Email Account Settings! •  YouTube Last Search, Last Viewed & Bookmarks data!
Forensic Analysis Tool for Backup files •  iPhone Backup Extractor! •  iPhone Backup Analyzer! •  MobileSyncBrowser! •  MDBackupExtract! •  WOLF - Sixth Legion! •  Device Seizure - Paraben!
Unprotected Backup files
Protected Backup files
Protected Backup files
Elcomsoft Phone Password Breaker •  Brute-Force backup password with GPU!
Brute-Force Backup password
Keychain Explorer #1
Keychain Explorer #2
Keychain Explorer #2
Iphone Backup Extractor
Iphone Backup Analyzer
Iphone Backup Analyzer
Iphone Backup Analyzer
http://www. TISA.or.th Copayright © 2012 TISA and its respective author (Thailand Information Security Association) Please contact : varapong@acisonline.net

Recommended

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
File000127
File000127File000127
File000127Desmond Devendran
 

Recommended

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
File000127
File000127File000127
File000127Desmond Devendran
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
File000122
File000122File000122
File000122Desmond Devendran
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
File000126
File000126File000126
File000126Desmond Devendran
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
File000129
File000129File000129
File000129Desmond Devendran
 
File000174
File000174File000174
File000174Desmond Devendran
 
File000125
File000125File000125
File000125Desmond Devendran
 
File000124
File000124File000124
File000124Desmond Devendran
 
File000128
File000128File000128
File000128Desmond Devendran
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder OverviewJADsoftware1
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationVincent Ohprecio
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 

More Related Content

What's hot

A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder OverviewJADsoftware1
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 

What's hot (20)

A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
 
File000122
File000122File000122
File000122
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
File000126
File000126File000126
File000126
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
File000129
File000129File000129
File000129
 
File000174
File000174File000174
File000174
 
File000125
File000125File000125
File000125
 
File000124
File000124File000124
File000124
 
File000128
File000128File000128
File000128
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder Overview
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysis
 

Viewers also liked

Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationVincent Ohprecio
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014ITInnovationDayNL
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...CSCJournals
 
Babadook
BabadookBabadook
Babadookjupton1
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 ICMI Pusat
 
Looking for Information Vacuums
Looking for Information VacuumsLooking for Information Vacuums
Looking for Information VacuumsInfo Ops HQ
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupVincent Ohprecio
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsSandeep Saxena
 
Mobile Application Security by Design
Mobile Application Security by DesignMobile Application Security by Design
Mobile Application Security by DesignDMI
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security IssuesStelios Krasadakis
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Metin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri KategorilendirmeMetin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri KategorilendirmeOğuzcan Pamuk
 

Viewers also liked (20)

Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
 
Babadook
BabadookBabadook
Babadook
 
Updated CV
Updated CVUpdated CV
Updated CV
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11
 
Looking for Information Vacuums
Looking for Information VacuumsLooking for Information Vacuums
Looking for Information Vacuums
 
Mobile security
Mobile securityMobile security
Mobile security
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes Backup
 
Mobile security
Mobile securityMobile security
Mobile security
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security Metrics
 
Mobile Application Security by Design
Mobile Application Security by DesignMobile Application Security by Design
Mobile Application Security by Design
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhone
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Metin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri KategorilendirmeMetin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri Kategorilendirme
 

Similar to Tisa mobile forensic

Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredTom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
liferay-safe-slides.pdf
liferay-safe-slides.pdfliferay-safe-slides.pdf
liferay-safe-slides.pdfSalini P
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsEC-Council
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Android slides
Android slidesAndroid slides
Android slides23375174
 

Similar to Tisa mobile forensic (20)

Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
WWDC 2017
WWDC 2017WWDC 2017
WWDC 2017
 
iOS platform
iOS platformiOS platform
iOS platform
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
liferay-safe-slides.pdf
liferay-safe-slides.pdfliferay-safe-slides.pdf
liferay-safe-slides.pdf
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & Solutions
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Android slides
Android slidesAndroid slides
Android slides
 
Android slides
Android slidesAndroid slides
Android slides
 
Android slides
Android slidesAndroid slides
Android slides
 
Android ppt.
Android ppt.Android ppt.
Android ppt.
 
Android slides
Android slidesAndroid slides
Android slides
 

More from Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityPrathan Phongthiproek
 

More from Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Tisa mobile forensic

  • 1. Mobile/Smart Phone Forensic Watcharaphon Wongaphai Senior Information Security Instructor GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F ACIS Professional Center
  • 2. Outline 1)  Introduction to Mobile Forensic! 2)  Forensic Analysis of iphone! -  JailBroken! -  iTune Backup files!
  • 3. Forensic Soundness •  What did it mean for disk forensics?! •  Does it mean the same thing?! •  Mobile devices are volatile, by nature! –  Real time clock changing in memory all the time! –  Acquiring SMS messages may change their status to “Read”! –  Some tools run code on the device itself!! •  Our goal is to change as little as possible! –  Perhaps disable automatic sync when using Blackberry Desktop Manager, and disable conversion to local time in ABC Amber Converter!
  • 4. Evidence Take-In and Chain of Custody •  Document the scene! –  Handle with care, and gloves!! –  For the Chain of Custody form, find the serial number! –  Don’t forget MicroSD cards!! –  Photograph the device where it is found! –  Document what is showing on the screen, if anything! –  Power concerns! –  Take cables and documentation!
  • 5. Blocking Network Connectivity •  Disable the radio! –  How can you be sure it’s disabled?! •  Faraday isolation! –  Not all products are created equal!!! –  Usually causes the battery to be depleted more quickly! •  Use a “safe” SIM card! •  Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity! •  Exercise: Disable network connectivity on your own phone.!
  • 6. ! •  What! –  Phone call database! –  E-mail and memos! –  SMS/MMS! –  Internet and LAN access! –  Visited URLs and saved pages! •  Where! –  Location information!
  • 7. ! •  Who! –  Owner details and user accounts! –  Contacts and cohorts! –  Personalizations (wallpaper, ringtones)! •  When! –  Calendar items! –  File system metadata! –  Timestamps may not be immediately visible!
  • 8. Messaging •  Short message service (SMS)! •  Multimedia message service (MMS)! •  Instant messaging! •  Blackberry! –  PIN messages! –  Blackberry IM!
  • 9. Internet Activities •  Downloaded images and web pages! •  Email! •  Visited URLs! •  History log! •  Browser cache!
  • 10. Location Tracking •  Location-based applications! –  Loopt! –  Google Latitude! –  Yahoo! Fire Eagle! –  Citysense! –  LifeBlog! –  Facebook (Friends on Fire)! –  Foursqare! –  Twitter!
  • 11. GPS Embedded in Photos •  GPS coordinates embedded in Exif! •  Same Exif we talked about for disk forensics! •  This is often automatically added if the phone is GPS aware.!
  • 12. Think Outside the Device •  Past usage information! –  Network service provider records! –  Look for paper bills! •  Detailed history of usage! –  Date and duration of calls! –  Numbers called! –  SMS message sent (no content retained)! •  NSP maintains detailed records! –  Calling IMSI and IMEI! –  Called IMSI and IMEI! –  Location: first and last cell! –  Charging details!
  • 13. Iphone Forensic with Jailbroken
  • 14. Zdziarski Technique •  Step by Step! SSH Connection •  Jailbreak! •  Forensic Acquisition! •  SSH! •  Create image by using dd command! •  Transfer image using netcat! DD image via Netcat •  Use scalpel to carving data!
  • 15. Zdziarski Technique •  Example Command! andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2 root@192.168.0.2′s password: -sh-3.2# cd / -sh-3.2# umount -f /private/var -sh-3.2# mount -o ro /private/var -sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc 192.168.0.1 7000 andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./ rdisk0s2 bs=4096
  • 19. iPhone Explorer Delete this file for bypass passcode
  • 21. What can be recovered ?
  • 24. SMS
  • 30. Iphone Forensic with iTune Backup files
  • 31. SYNC and Backup •  After activation, when the iPhone is connected to the computer a sync will be conducted! •  The user can define what is to be Synced to include:! •  Music! •  Photos! •  Ringtones! •  Contacts & Calendars! •  Podcasts! •  Video! •  Third party applications! •  Third party applications can initiate the use of the iPhone as a file storage device!
  • 32. SYNC and Backup •  Backup data location! •  Windows XP! •  C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! •  Windows 7! •  C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! •  Mac OS X! •  /Users/(username)/Library/Application Support/MobileSync/Backup/!
  • 33. SYNC and Backup •  Backup folder files! •  Many .mdbackup files! •  The name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file! •  Status.plist! •  Status of last sync! •  Manifest.plist! •  List of all files backed up, modification time and hash signature! •  Info.plist! •  Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
  • 34. .mdbackup files •  Safari History & Bookmarks! •  Photos (phone & synced iPhoto)! •  Sent & Received SMS! •  Calendar Events! •  Notes! •  Address Book Entries! •  Call History! •  Cookies! •  Google Map History! •  Email Account Settings! •  YouTube Last Search, Last Viewed & Bookmarks data!
  • 35. Forensic Analysis Tool for Backup files •  iPhone Backup Extractor! •  iPhone Backup Analyzer! •  MobileSyncBrowser! •  MDBackupExtract! •  WOLF - Sixth Legion! •  Device Seizure - Paraben!
  • 39. Elcomsoft Phone Password Breaker •  Brute-Force backup password with GPU!
  • 48. http://www. TISA.or.th Copayright © 2012 TISA and its respective author (Thailand Information Security Association) Please contact : varapong@acisonline.net