SlideShare a Scribd company logo

Why cant all_data_be_the_same

Download as PPTX, PDF
S
Skyler Lewis

Talk from Kim Thomson, Python at the Point, July 19, 2018, talking about the mobile forensics world, data extraction software and Python's role in all of it.

Technology
1 of 41
Why Can’t all Data be the Same? Python in the Mobile-Forensics World Kim Thomson H-11 Digital Forensics kim@h11dfs.com
who am I? • Retired SIGINT Soldier • Nerd • I love all things wireless • My passion is extraction/recovery and decoding of phone/device data • I teach courses in mobile forensics, chipoff for mobile forensics, JTAG-ISP for mobile forensics, Python for mobile forensics, smartphone analysis, and wireless tracking, mapping, and analysis • I settled into mobile forensics because of the variety of areas within the field • kim@h11dfs.com
mobile forensics = The discovery, recovery, examination, analysis, and reporting of data from mobile devices, generally to aid in some sort of investigation. Mobile forensics involves: • Extracting • Parsing • Organizing • Correlating • Reporting
what’s the point? One of the persistent challenges of mobile forensics or mobile data recovery is getting the data in a reportable format. As no two phones are the same, decoding the data into something usable can be a problem. Nearly every phone will have some sort of unique data on it. Simply obtaining the data usually isn’t good enough. It has to be made presentable.
mobile fragmentation
mobile forensics challenges • Finding the data • Phone, mobile network, SIM, SD card, cloud? • Extracting the data • Security locks (PINs, passwords, patterns, etc.), port difficulties, USB debugging? • Decoding the data • Character encodings, file formats, database types, unknown/new apps? • Analyzing the data • What does it mean?
mobile forensics challenges - 2 • Many paths into digital forensics • Most are not technical • Python is scary
finding the data • Cloud • Many types of data simply aren’t found on the phone • Depending on the case, may or may not be trivial to obtain • SIM • Not used for much data these days apart from last Location Area Code (LAC) and account info • Can contain old, deleted data from previous phones • SD Card • Apart from the phone itself, probably the most important piece • Full of media and app data, backups, etc. • May contain data from previously-used phones
finding the data • Service Provider’s Network • Tower dumps, subscriber data, call-detail/data records (CDR), SMS, MMS, data usage, web sites accessed, etc. • CDRs continue to be a prime source of location and activity information; must be obtained with proper legal authority • Synced devices • Chrome, iCloud, Firefox, OneDrive, Dropbox, e-mail accounts, etc. • Can contain web histories, connected WiFi networks, calls, contacts, e- mail, synced files, etc.
finding the data • Phone • Calls, contacts, messaging, e-mails, media, location data, account info • Databases, logs, event histories, connection timelines • Connected cells, WiFi nets, application usage history, network usage statistics, synced Bluetooth devices… • Basically the user’s entire life may be found on the phone The importance of the phone data cannot be overestimated. In 2018, I can personally guarantee that we will never see ALL the info on a device. There’s simply too much of it.
phone extraction types Logical File System Physical Some data is not always recoverable Extraction Copy using Mobile Forensics is not necessarily a Bit Stream Clone/Image as with Computer Forensics What you see on the mobile device screen is what you get – Sometimes ? Operating System Files Unallocated Area Available Area for Digital Storage
logical extraction • Were originally based on AT commands, talking to the internal modem • Simple, what you see is what you get • Relatively Fast (unless they have loads of media on the phone) • Will recover no truly deleted data • May recover “deleted” database entries (calls, chats, contacts, etc.) • Excellent choice for a “quick look” • Can be stymied by different versions of an OS or blocked/disabled USB ports • For Android and others, usually requires the installation of an extraction client (APK) • Usually not possible on a locked phone (passcode/pattern/PIN)
file-system extraction • Usually “good enough” depending on the phone (Android) • Depending on the phone, may or may not be possible • Jailbroken iPhone, rooted Android • Other OS… maybe, maybe not • Analogous to copy-paste all files in the file system; no truly deleted items • Can be blocked by security protocols in Android and iOS • There are “lesser” file-system extractions • Android Debug Bridge (ADB) Backup • iTunes Backup • Partial file system based on MTP vulnerabilities in Android
physical extraction • This has always been the real goal: get ALL the data on the phone… all the 1s and 0s • Analogous to a physical image (dd) of a hard drive • Requires root permissions in Android; most of the time just a temp root • After iPhone 4 is impossible (improbable?) in iOS devices • Gives the examiner the possibly of recovering truly deleted data • Media • Deleted Files, not just DB entries • Getting a full physical extraction of a device has sometimes been rather difficult
automated-tool vendors • Cellebrite • UFED • Physical Analyzer • MicroSystemation • XRY • Oxygen • Magnet Forensics • Axiom Process • Axiom Examine
benefits of automated tools • Widely used • Well-funded and researched • Faster • Easier • Require less technical expertise • In most cases, you only need to follow the instructions
benefits of automated tools • Besides providing the extraction of data from the mobile device, these tools also do the decoding, or parsing of the data automagically • Analytical tools are also included • Reporting tools are also included • Customer support • Clicky buttons
problems with automated tools • When they don’t work, they don’t work • If a device isn’t supported, then you may not be able to find support at all for it • It may be possible, but sometimes it’s difficult to figure out which other method may work • They are, depending on your background and point of view, insanely expensive • Automated tools produce… and there is no nice way to put this… the script kiddies of the mobile-forensics world • They don’t exactly produce a “technically-advanced user” necessarily • They don’t (and can’t) decode ALL the data on a phone
biggest problem with automated tools “If we don’t find it, it’s not there…”
moving beyond automated tools • Carving for deleted records in whatever format they happen to be in • Parsing previously-unknown or unsupported apps for data (usually SQLite) • How many apps exist for iOS and Android??? • Log Parsing • Parsing binary files in burner phones (usually proprietary formats) • Writing scripts to find data in the binary dump of a phone whose file system can’t be reconstructed  • Correlating phone data with external sources (cell towers, wifi networks, other geolocation data)
questions to ask • Do I have all the data/evidence I need? • What else do I need? • In what format might it be stored? • How can I convert it? • Where can I put it? • In the automated tool’s project tree • CSV file? • Database? • External report? • IS IT WORTH THE TIME???
• Timestamp formats • GPS Epoch in BREW phones (feature phones) • Unix, seconds, milliseconds, microseconds, decimal, hex LE and BE… • NSDates • Mediatek • Straight hexadecimal • Flash memory storage characteristics • ENCRYPTION!! • File system • Individual app files • Different file types • SQLite databases • XML/JSON • Proprietary DBs • Straight Hex/Binary files • Plists/proprietary logs • Different Encodings • 7-bit GSM alphabet data encoding (cheap phones) • ASCII vs. UTF-16 vs. UTF-8 vs. LE vs. BE • Base64, Base32 • Reversed Nibbles • Straight Hex Integer phone data problems
phone data problems There’s nothing quite like an IP address represented in hex, changed to Little-Endian, converted to a signed decimal integer and stored as ASCII in a SQLite DB along with other connection attributes with a non- descript entry name to make you lose faith in humanity. Seriously…? 0xCA21F10A -903745270  0A F1 21 CA  10:241:33:202
user data • Calls • Contacts • Messaging • Location data • E-mails • Paired devices • WiFi networks • Cookies, web history, videos, music, recordings, images, cell towers, account data, visited web pages, bookmarks, notes, notifications, open apps, usage history, powering events, network statistics, a compromising picture you took then deleted, etc….
how do we see the data? • AccessData FTK Imager (free) • http://marketing.accessdata.com/ftkimager4.2.0 • 7-zip (for some dd images and phone dumps) • Autopsy and Sleuthkit (FOSS) • Medusa Pro or Octoplus Pro Software (about 160 bucks) • Cellebrite Physical Analyzer (paid) • Oxygen Detective (paid) • Magnet Axiom (paid)
Looking at the data – Cellebrite Physical Analyzer
Looking at the data – Autopsy
Looking at the data – FTK Imager
Looking at the data – Octoplus/Medusa
What about Python? • Case management, logs, moving files, blah, blah, blah • Extracting data from SQLite databases for unsupported applications • Parsing all the files of importance in “burner” phones • They tend to not be well supported since they are VERY proprietary • Phonebook, calls, SMS, device information, etc. • Carving through unallocated space to find deleted remnants of things • JSON, XML, logs, DB fragments... • Carving through the binary dump of a phone that doesn’t parse at all (KMN) • Standalone utilities for manual data decoding/searches/conversions/etc.
SQLite • Easy • Majority of apps in Android and iOS use SQLite • Cellebrite and Magnet (Axiom) both have their own wrapper on sqlite3 to only allow reads and no writes or “queries”. Every line of a table is read as a dictionary. Dictionary keys are the column names. • Whether I write something for Cellebrite or external to Cellebrite depends on two things: • Does Cellebrite have a category for the type of data? • Who and what am I writing it for?
SQLite in Cellebrite DB: macvendors.db Table: macvendors Columns: ‘mac’ and ‘vendor’ • Cellebrite’s SQLiteParser wants to read every line by default. • For most types of apps we want every line. • Calls • Contacts • Chats • Messages • Cell Towers
SQLite Strengths • Standardized, used everywhere • Analysis is relatively simple • Tools abound to read and recover data from SQLite DBs • Once you’ve written one parser for a messaging app, you can write another with small modifications • SQLite in Python is easy
BREW phone (every crappy flip phone) • Proprietary file systems, app structures, databases, etc. • Not well supported by most mobile- forensic tools • Every model is different • Very common to get a full physical extraction but have no parsed data • You have to either do everything manually or write some stuff to parse it into a presentable format
Carving • It’s really just a regex/grep • Certain data types have certain headers/signatures/footers on the data • xFF xD8 xFF xE0 is one type of JPEG • Can be done over a whole binary image or just the unallocated areas (possibly deleted items) • Depending on what you’re looking for you want, you may use re.search(), re.findall(), or re.finditer() • Data can then be exported to whatever file format you want or added to a mobile-forensic tool’s data tree
Carving
Standalone Utilities Mostly using QT, because everything else is horrible
Standalone Utilities Wireless analysis
modules/libraries I use • os, sys, json, struct, binascii, base64, hashlib, argparse, time, datetime, re, etc… • geopy – geolocation/geocoding, mapping, openstreetmaps, etc. • simplekml – create KML files • pygle – work with wigle.net • requests, urllib2, tweepy – for grabbing thingies off the interwebz • subprocess – running other programs, opening Google Earth instances, etc. • sqlite3, csv • pandas, matplotlib – chewing on data and plotting
online APIs I use • wigle – wireless mapping, wardrving • macvendors – OUI vs vendor/manufacturer • Google Geolocation and Geocoding • OpenStreetMaps, Nominatim from geopy • opencellid.org (db download available) • Mozilla Location Services (db download available)
Summary • There’s lots of data on phones in our futuristic world • No product will be able to decode/parse all of it • Python is cool and several mobile-forensics tools include a way to extend functionality with Python • We can use Python to decode/parse custom data types and unsupported apps • @ArdJect on Twitter • kim@h11dfs.com for official things

Recommended

Lec1chap1f04
Lec1chap1f04Lec1chap1f04
Lec1chap1f04
screaminc
 
Uc14 chap06
Uc14 chap06Uc14 chap06
Uc14 chap06Rashid Yahye
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & Solutions
EC-Council
 
Uc14 chap04
Uc14 chap04Uc14 chap04
Uc14 chap04Rashid Yahye
 
fundamentals of information technology
fundamentals of information technologyfundamentals of information technology
fundamentals of information technology
SoundaryaB2
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder Overview
JADsoftware1
 
Uc14 chap01
Uc14 chap01Uc14 chap01
Uc14 chap01Rashid Yahye
 

Recommended

Lec1chap1f04
Lec1chap1f04Lec1chap1f04
Lec1chap1f04
screaminc
 
Uc14 chap06
Uc14 chap06Uc14 chap06
Uc14 chap06Rashid Yahye
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & Solutions
EC-Council
 
Uc14 chap04
Uc14 chap04Uc14 chap04
Uc14 chap04Rashid Yahye
 
fundamentals of information technology
fundamentals of information technologyfundamentals of information technology
fundamentals of information technology
SoundaryaB2
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder Overview
JADsoftware1
 
Uc14 chap01
Uc14 chap01Uc14 chap01
Uc14 chap01Rashid Yahye
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Jason Letourneau
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - StorageUnderstanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
yaminohime
 
Computer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorComputer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud Mentor
Stud Mentor
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
OWASP Turkiye
 
Uc14 chap05
Uc14 chap05Uc14 chap05
Uc14 chap05Rashid Yahye
 
Uc14 chap02
Uc14 chap02Uc14 chap02
Uc14 chap02Rashid Yahye
 
Forensics intro
Forensics introForensics intro
Forensics introtest tt
 
Mobile Forensics and Investigation Android Forensics
Mobile Forensics and Investigation Android ForensicsMobile Forensics and Investigation Android Forensics
Mobile Forensics and Investigation Android Forensics
Don Caeiro
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
gouriuplenchwar63
 
Network Forensics- Social Media Forensics
Network Forensics- Social Media ForensicsNetwork Forensics- Social Media Forensics
Network Forensics- Social Media Forensics
Don Caeiro
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
ISSA LA
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
Sam Bowne
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 

More Related Content

What's hot

Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Jason Letourneau
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
yaminohime
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - StorageUnderstanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
yaminohime
 
Computer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorComputer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud Mentor
Stud Mentor
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
OWASP Turkiye
 
Forensics intro
Forensics introForensics intro
Forensics introtest tt
 

What's hot (10)

Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 15 - Comput...
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 4 - Input a...
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - StorageUnderstanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 3 - Storage
 
Computer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud MentorComputer Basics Tutorial By Stud Mentor
Computer Basics Tutorial By Stud Mentor
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Uc14 chap05
Uc14 chap05Uc14 chap05
Uc14 chap05
 
Uc14 chap02
Uc14 chap02Uc14 chap02
Uc14 chap02
 
Forensics intro
Forensics introForensics intro
Forensics intro
 

Similar to Why cant all_data_be_the_same

Mobile Forensics and Investigation Android Forensics
Mobile Forensics and Investigation Android ForensicsMobile Forensics and Investigation Android Forensics
Mobile Forensics and Investigation Android Forensics
Don Caeiro
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
gouriuplenchwar63
 
Network Forensics- Social Media Forensics
Network Forensics- Social Media ForensicsNetwork Forensics- Social Media Forensics
Network Forensics- Social Media Forensics
Don Caeiro
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
ISSA LA
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
Sam Bowne
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudIOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
Ramin Firoozye
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
Kabul Education University
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
Damir Delija
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
Atlantic Security Conference
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
Sloan Carne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne
 

Similar to Why cant all_data_be_the_same (20)

Mobile Forensics and Investigation Android Forensics
Mobile Forensics and Investigation Android ForensicsMobile Forensics and Investigation Android Forensics
Mobile Forensics and Investigation Android Forensics
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
 
Network Forensics- Social Media Forensics
Network Forensics- Social Media ForensicsNetwork Forensics- Social Media Forensics
Network Forensics- Social Media Forensics
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the CloudIOT Oversharing: 
Stop Sending My Stuff to the Cloud
IOT Oversharing: 
Stop Sending My Stuff to the Cloud
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Why cant all_data_be_the_same

  • 1. Why Can’t all Data be the Same? Python in the Mobile-Forensics World Kim Thomson H-11 Digital Forensics kim@h11dfs.com
  • 2. who am I? • Retired SIGINT Soldier • Nerd • I love all things wireless • My passion is extraction/recovery and decoding of phone/device data • I teach courses in mobile forensics, chipoff for mobile forensics, JTAG-ISP for mobile forensics, Python for mobile forensics, smartphone analysis, and wireless tracking, mapping, and analysis • I settled into mobile forensics because of the variety of areas within the field • kim@h11dfs.com
  • 3. mobile forensics = The discovery, recovery, examination, analysis, and reporting of data from mobile devices, generally to aid in some sort of investigation. Mobile forensics involves: • Extracting • Parsing • Organizing • Correlating • Reporting
  • 4. what’s the point? One of the persistent challenges of mobile forensics or mobile data recovery is getting the data in a reportable format. As no two phones are the same, decoding the data into something usable can be a problem. Nearly every phone will have some sort of unique data on it. Simply obtaining the data usually isn’t good enough. It has to be made presentable.
  • 6. mobile forensics challenges • Finding the data • Phone, mobile network, SIM, SD card, cloud? • Extracting the data • Security locks (PINs, passwords, patterns, etc.), port difficulties, USB debugging? • Decoding the data • Character encodings, file formats, database types, unknown/new apps? • Analyzing the data • What does it mean?
  • 7. mobile forensics challenges - 2 • Many paths into digital forensics • Most are not technical • Python is scary
  • 8. finding the data • Cloud • Many types of data simply aren’t found on the phone • Depending on the case, may or may not be trivial to obtain • SIM • Not used for much data these days apart from last Location Area Code (LAC) and account info • Can contain old, deleted data from previous phones • SD Card • Apart from the phone itself, probably the most important piece • Full of media and app data, backups, etc. • May contain data from previously-used phones
  • 9. finding the data • Service Provider’s Network • Tower dumps, subscriber data, call-detail/data records (CDR), SMS, MMS, data usage, web sites accessed, etc. • CDRs continue to be a prime source of location and activity information; must be obtained with proper legal authority • Synced devices • Chrome, iCloud, Firefox, OneDrive, Dropbox, e-mail accounts, etc. • Can contain web histories, connected WiFi networks, calls, contacts, e- mail, synced files, etc.
  • 10. finding the data • Phone • Calls, contacts, messaging, e-mails, media, location data, account info • Databases, logs, event histories, connection timelines • Connected cells, WiFi nets, application usage history, network usage statistics, synced Bluetooth devices… • Basically the user’s entire life may be found on the phone The importance of the phone data cannot be overestimated. In 2018, I can personally guarantee that we will never see ALL the info on a device. There’s simply too much of it.
  • 11. phone extraction types Logical File System Physical Some data is not always recoverable Extraction Copy using Mobile Forensics is not necessarily a Bit Stream Clone/Image as with Computer Forensics What you see on the mobile device screen is what you get – Sometimes ? Operating System Files Unallocated Area Available Area for Digital Storage
  • 12. logical extraction • Were originally based on AT commands, talking to the internal modem • Simple, what you see is what you get • Relatively Fast (unless they have loads of media on the phone) • Will recover no truly deleted data • May recover “deleted” database entries (calls, chats, contacts, etc.) • Excellent choice for a “quick look” • Can be stymied by different versions of an OS or blocked/disabled USB ports • For Android and others, usually requires the installation of an extraction client (APK) • Usually not possible on a locked phone (passcode/pattern/PIN)
  • 13. file-system extraction • Usually “good enough” depending on the phone (Android) • Depending on the phone, may or may not be possible • Jailbroken iPhone, rooted Android • Other OS… maybe, maybe not • Analogous to copy-paste all files in the file system; no truly deleted items • Can be blocked by security protocols in Android and iOS • There are “lesser” file-system extractions • Android Debug Bridge (ADB) Backup • iTunes Backup • Partial file system based on MTP vulnerabilities in Android
  • 14. physical extraction • This has always been the real goal: get ALL the data on the phone… all the 1s and 0s • Analogous to a physical image (dd) of a hard drive • Requires root permissions in Android; most of the time just a temp root • After iPhone 4 is impossible (improbable?) in iOS devices • Gives the examiner the possibly of recovering truly deleted data • Media • Deleted Files, not just DB entries • Getting a full physical extraction of a device has sometimes been rather difficult
  • 15. automated-tool vendors • Cellebrite • UFED • Physical Analyzer • MicroSystemation • XRY • Oxygen • Magnet Forensics • Axiom Process • Axiom Examine
  • 16. benefits of automated tools • Widely used • Well-funded and researched • Faster • Easier • Require less technical expertise • In most cases, you only need to follow the instructions
  • 17. benefits of automated tools • Besides providing the extraction of data from the mobile device, these tools also do the decoding, or parsing of the data automagically • Analytical tools are also included • Reporting tools are also included • Customer support • Clicky buttons
  • 18. problems with automated tools • When they don’t work, they don’t work • If a device isn’t supported, then you may not be able to find support at all for it • It may be possible, but sometimes it’s difficult to figure out which other method may work • They are, depending on your background and point of view, insanely expensive • Automated tools produce… and there is no nice way to put this… the script kiddies of the mobile-forensics world • They don’t exactly produce a “technically-advanced user” necessarily • They don’t (and can’t) decode ALL the data on a phone
  • 19. biggest problem with automated tools “If we don’t find it, it’s not there…”
  • 20. moving beyond automated tools • Carving for deleted records in whatever format they happen to be in • Parsing previously-unknown or unsupported apps for data (usually SQLite) • How many apps exist for iOS and Android??? • Log Parsing • Parsing binary files in burner phones (usually proprietary formats) • Writing scripts to find data in the binary dump of a phone whose file system can’t be reconstructed  • Correlating phone data with external sources (cell towers, wifi networks, other geolocation data)
  • 21. questions to ask • Do I have all the data/evidence I need? • What else do I need? • In what format might it be stored? • How can I convert it? • Where can I put it? • In the automated tool’s project tree • CSV file? • Database? • External report? • IS IT WORTH THE TIME???
  • 22. • Timestamp formats • GPS Epoch in BREW phones (feature phones) • Unix, seconds, milliseconds, microseconds, decimal, hex LE and BE… • NSDates • Mediatek • Straight hexadecimal • Flash memory storage characteristics • ENCRYPTION!! • File system • Individual app files • Different file types • SQLite databases • XML/JSON • Proprietary DBs • Straight Hex/Binary files • Plists/proprietary logs • Different Encodings • 7-bit GSM alphabet data encoding (cheap phones) • ASCII vs. UTF-16 vs. UTF-8 vs. LE vs. BE • Base64, Base32 • Reversed Nibbles • Straight Hex Integer phone data problems
  • 23. phone data problems There’s nothing quite like an IP address represented in hex, changed to Little-Endian, converted to a signed decimal integer and stored as ASCII in a SQLite DB along with other connection attributes with a non- descript entry name to make you lose faith in humanity. Seriously…? 0xCA21F10A -903745270  0A F1 21 CA  10:241:33:202
  • 24. user data • Calls • Contacts • Messaging • Location data • E-mails • Paired devices • WiFi networks • Cookies, web history, videos, music, recordings, images, cell towers, account data, visited web pages, bookmarks, notes, notifications, open apps, usage history, powering events, network statistics, a compromising picture you took then deleted, etc….
  • 25. how do we see the data? • AccessData FTK Imager (free) • http://marketing.accessdata.com/ftkimager4.2.0 • 7-zip (for some dd images and phone dumps) • Autopsy and Sleuthkit (FOSS) • Medusa Pro or Octoplus Pro Software (about 160 bucks) • Cellebrite Physical Analyzer (paid) • Oxygen Detective (paid) • Magnet Axiom (paid)
  • 26. Looking at the data – Cellebrite Physical Analyzer
  • 27. Looking at the data – Autopsy
  • 28. Looking at the data – FTK Imager
  • 29. Looking at the data – Octoplus/Medusa
  • 30. What about Python? • Case management, logs, moving files, blah, blah, blah • Extracting data from SQLite databases for unsupported applications • Parsing all the files of importance in “burner” phones • They tend to not be well supported since they are VERY proprietary • Phonebook, calls, SMS, device information, etc. • Carving through unallocated space to find deleted remnants of things • JSON, XML, logs, DB fragments... • Carving through the binary dump of a phone that doesn’t parse at all (KMN) • Standalone utilities for manual data decoding/searches/conversions/etc.
  • 31. SQLite • Easy • Majority of apps in Android and iOS use SQLite • Cellebrite and Magnet (Axiom) both have their own wrapper on sqlite3 to only allow reads and no writes or “queries”. Every line of a table is read as a dictionary. Dictionary keys are the column names. • Whether I write something for Cellebrite or external to Cellebrite depends on two things: • Does Cellebrite have a category for the type of data? • Who and what am I writing it for?
  • 32. SQLite in Cellebrite DB: macvendors.db Table: macvendors Columns: ‘mac’ and ‘vendor’ • Cellebrite’s SQLiteParser wants to read every line by default. • For most types of apps we want every line. • Calls • Contacts • Chats • Messages • Cell Towers
  • 33. SQLite Strengths • Standardized, used everywhere • Analysis is relatively simple • Tools abound to read and recover data from SQLite DBs • Once you’ve written one parser for a messaging app, you can write another with small modifications • SQLite in Python is easy
  • 34. BREW phone (every crappy flip phone) • Proprietary file systems, app structures, databases, etc. • Not well supported by most mobile- forensic tools • Every model is different • Very common to get a full physical extraction but have no parsed data • You have to either do everything manually or write some stuff to parse it into a presentable format
  • 35. Carving • It’s really just a regex/grep • Certain data types have certain headers/signatures/footers on the data • xFF xD8 xFF xE0 is one type of JPEG • Can be done over a whole binary image or just the unallocated areas (possibly deleted items) • Depending on what you’re looking for you want, you may use re.search(), re.findall(), or re.finditer() • Data can then be exported to whatever file format you want or added to a mobile-forensic tool’s data tree
  • 37. Standalone Utilities Mostly using QT, because everything else is horrible
  • 39. modules/libraries I use • os, sys, json, struct, binascii, base64, hashlib, argparse, time, datetime, re, etc… • geopy – geolocation/geocoding, mapping, openstreetmaps, etc. • simplekml – create KML files • pygle – work with wigle.net • requests, urllib2, tweepy – for grabbing thingies off the interwebz • subprocess – running other programs, opening Google Earth instances, etc. • sqlite3, csv • pandas, matplotlib – chewing on data and plotting
  • 40. online APIs I use • wigle – wireless mapping, wardrving • macvendors – OUI vs vendor/manufacturer • Google Geolocation and Geocoding • OpenStreetMaps, Nominatim from geopy • opencellid.org (db download available) • Mozilla Location Services (db download available)
  • 41. Summary • There’s lots of data on phones in our futuristic world • No product will be able to decode/parse all of it • Python is cool and several mobile-forensics tools include a way to extend functionality with Python • We can use Python to decode/parse custom data types and unsupported apps • @ArdJect on Twitter • kim@h11dfs.com for official things