Talk from Kim Thomson, Python at the Point, July 19, 2018, talking about the mobile forensics world, data extraction software and Python's role in all of it.
EMM Limits & Solutions
The research goal is analyzes methods developed to reveal resources must be protected. These methods help to evaluate and estimate effectiveness of application & information security against available activities and features; evaluate how critical the emerging risk is in alignment technical solutions like MAM&MIM.
introduction of information technology
classification of computers
anatomy of digital computers
functions of computer
secondary storage devices
input devices
output devices
programming languages
operating system
e-mail
applications of computer
computer security
EMM Limits & Solutions
The research goal is analyzes methods developed to reveal resources must be protected. These methods help to evaluate and estimate effectiveness of application & information security against available activities and features; evaluate how critical the emerging risk is in alignment technical solutions like MAM&MIM.
introduction of information technology
classification of computers
anatomy of digital computers
functions of computer
secondary storage devices
input devices
output devices
programming languages
operating system
e-mail
applications of computer
computer security
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformJason Letourneau
Autopsy™ is the premier free and open source end-to-end digital forensics platform built by Basis Technology and the digital forensics open source community. The platform has been in development since OSDF Con 2010, based on intense interest and collaboration from the digital forensics community, which determined the need for an open source end-to-end forensics platform that runs on Windows systems.
Autopsy version 3 is a complete rewrite from version 2 and is built to enable the creation of fast, thorough, and efficient hard drive investigation tools that can evolve with digital investigators’ needs. The standard installation includes features that rival commercial closed source offerings, without the associated costs.
FEATURES
Triage capability and real-time alerting
Automated workflow based on The Sleuth Kit™
Windows installation
Case management and report generation
Recent user activity extraction including: web history, recent documents, bookmarks, downloads, and registry analysis
Keyword and pattern search including: phone numbers, email addresses, URLs, and IP addresses
Hash lookup
Interesting files detection and timeline viewing
...and much more
For digital forensics investigators and analysts, there are numerous advantages to using open source software and software built on open source platforms like Autopsy and The Sleuth Kit:
• Transparent evidence extraction: Open source platforms allow you to look at the source code and to verify that the software is performing its functions in a forensically sound way. This can prove to be critical when testifying or preparing for litigation.
• Easily extensible: Open source platforms grow organically and as the needs of their consituents and users change, so does their functionality.
• Active community of users and developers: In addition to commercial support offered by Basis Technology,
there is a wealth of information that is available in a community that has evolved over the last 11 years where both users and developers are actively working to improve the software platform. This free knowledge base is
an extremely powerful value add to your purchased enterprise support.
This chapter covers:
- Hardware loss, hardware damage, and system failure, and the safeguards that can help reduce the risk of a problem occurring due to these concerns
- Software piracy and digital counterfeiting and steps that are being taken to prevent these computer crimes
- Possible risks for personal privacy violations due to databases, marketing activities, electronic surveillance, and monitoring, and precautions that can be taken to safeguard one’s privacy
This chapter covers:
- Different types of keyboards and pointing devices
- Types of scanners, readers, and digital cameras
- Audio input devices
- Types of display devices and how they work
- Types of printers and how they work
- Audio output
Objectives
- Name several general properties of storage systems.
- Describe the two most common types of hard drives and what they are used for today.
- Discuss the various types of optical discs available and how they differ from each other.
- Identify some flash-memory-based storage devices and media and explain how they are used today.
- List at least three other types of storage systems.
- Summarize the storage alternatives for a typical personal computer.
Computer Basics Tutorial By Stud MentorStud Mentor
Brief about the Computer Like what is Computer, Computer Organization, Computer Devices, Computer Languages and Many More Stuff. More Updates visit : www.studmentor.com
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
This ppt is related with mobile forensic science where there is general introduction mobile forensics and associated terms. Some information regarding software used in mobile forensics.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
Details of which tools and equipment can be used for investigating cybercrime are explained well in the easy language. Also, Data Recovery is explained well.
For better or worse, electronic data is at the heart of many legal investigations. Therefore, it is becoming increasingly important for lawyers to have a basic understanding of computer forensics including:
- what computer forensics is and what types of things can a computer forensic expert do;
- types of mistakes lawyers or IT professionals make that can corrupt, alter, or destroy evidence that is key to investigations;
what types of electronic evidence exists;
- ways to work efficiently and effectively with a computer forensic expert; and
- when to consider hiring and how to choose a computer forensic expert as part of an investigation
Learn more from Winston & Strawn and listen to the presentation here: https://www.winston.com/en/thought-leadership/computer-forensics-what-every-lawyer-needs-to-know.html.
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformJason Letourneau
Autopsy™ is the premier free and open source end-to-end digital forensics platform built by Basis Technology and the digital forensics open source community. The platform has been in development since OSDF Con 2010, based on intense interest and collaboration from the digital forensics community, which determined the need for an open source end-to-end forensics platform that runs on Windows systems.
Autopsy version 3 is a complete rewrite from version 2 and is built to enable the creation of fast, thorough, and efficient hard drive investigation tools that can evolve with digital investigators’ needs. The standard installation includes features that rival commercial closed source offerings, without the associated costs.
FEATURES
Triage capability and real-time alerting
Automated workflow based on The Sleuth Kit™
Windows installation
Case management and report generation
Recent user activity extraction including: web history, recent documents, bookmarks, downloads, and registry analysis
Keyword and pattern search including: phone numbers, email addresses, URLs, and IP addresses
Hash lookup
Interesting files detection and timeline viewing
...and much more
For digital forensics investigators and analysts, there are numerous advantages to using open source software and software built on open source platforms like Autopsy and The Sleuth Kit:
• Transparent evidence extraction: Open source platforms allow you to look at the source code and to verify that the software is performing its functions in a forensically sound way. This can prove to be critical when testifying or preparing for litigation.
• Easily extensible: Open source platforms grow organically and as the needs of their consituents and users change, so does their functionality.
• Active community of users and developers: In addition to commercial support offered by Basis Technology,
there is a wealth of information that is available in a community that has evolved over the last 11 years where both users and developers are actively working to improve the software platform. This free knowledge base is
an extremely powerful value add to your purchased enterprise support.
This chapter covers:
- Hardware loss, hardware damage, and system failure, and the safeguards that can help reduce the risk of a problem occurring due to these concerns
- Software piracy and digital counterfeiting and steps that are being taken to prevent these computer crimes
- Possible risks for personal privacy violations due to databases, marketing activities, electronic surveillance, and monitoring, and precautions that can be taken to safeguard one’s privacy
This chapter covers:
- Different types of keyboards and pointing devices
- Types of scanners, readers, and digital cameras
- Audio input devices
- Types of display devices and how they work
- Types of printers and how they work
- Audio output
Objectives
- Name several general properties of storage systems.
- Describe the two most common types of hard drives and what they are used for today.
- Discuss the various types of optical discs available and how they differ from each other.
- Identify some flash-memory-based storage devices and media and explain how they are used today.
- List at least three other types of storage systems.
- Summarize the storage alternatives for a typical personal computer.
Computer Basics Tutorial By Stud MentorStud Mentor
Brief about the Computer Like what is Computer, Computer Organization, Computer Devices, Computer Languages and Many More Stuff. More Updates visit : www.studmentor.com
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
This ppt is related with mobile forensic science where there is general introduction mobile forensics and associated terms. Some information regarding software used in mobile forensics.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
Details of which tools and equipment can be used for investigating cybercrime are explained well in the easy language. Also, Data Recovery is explained well.
For better or worse, electronic data is at the heart of many legal investigations. Therefore, it is becoming increasingly important for lawyers to have a basic understanding of computer forensics including:
- what computer forensics is and what types of things can a computer forensic expert do;
- types of mistakes lawyers or IT professionals make that can corrupt, alter, or destroy evidence that is key to investigations;
what types of electronic evidence exists;
- ways to work efficiently and effectively with a computer forensic expert; and
- when to consider hiring and how to choose a computer forensic expert as part of an investigation
Learn more from Winston & Strawn and listen to the presentation here: https://www.winston.com/en/thought-leadership/computer-forensics-what-every-lawyer-needs-to-know.html.
Draft current state of digital forensic and data science Damir Delija
In this presentation we will introduce current state of digital forensics, its positioning in general IT security and relations with data science and data analyses. Many strong links exist among this technical and scientific fields, usually this links are not taken into consideration. For data owners, forensic researchers and investigators this connections and data views presents additional hidden values.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Why cant all_data_be_the_same
1. Why Can’t all Data be
the Same?
Python in the Mobile-Forensics World
Kim Thomson
H-11 Digital Forensics
kim@h11dfs.com
2. who am I?
• Retired SIGINT Soldier
• Nerd
• I love all things wireless
• My passion is extraction/recovery and decoding of phone/device data
• I teach courses in mobile forensics, chipoff for mobile forensics, JTAG-ISP for
mobile forensics, Python for mobile forensics, smartphone analysis, and wireless
tracking, mapping, and analysis
• I settled into mobile forensics because of the variety of areas within the field
• kim@h11dfs.com
3. mobile forensics =
The discovery, recovery, examination, analysis, and reporting of data from mobile
devices, generally to aid in some sort of investigation.
Mobile forensics involves:
• Extracting
• Parsing
• Organizing
• Correlating
• Reporting
4. what’s the point?
One of the persistent challenges of
mobile forensics or mobile data
recovery is getting the data in a
reportable format.
As no two phones are the same,
decoding the data into something
usable can be a problem. Nearly every
phone will have some sort of unique
data on it.
Simply obtaining the data usually isn’t
good enough. It has to be made
presentable.
6. mobile forensics challenges
• Finding the data
• Phone, mobile network, SIM, SD card, cloud?
• Extracting the data
• Security locks (PINs, passwords, patterns, etc.), port difficulties, USB
debugging?
• Decoding the data
• Character encodings, file formats, database types, unknown/new apps?
• Analyzing the data
• What does it mean?
7. mobile forensics challenges - 2
• Many paths into digital forensics
• Most are not technical
• Python is scary
8. finding the data
• Cloud
• Many types of data simply aren’t found on the phone
• Depending on the case, may or may not be trivial to obtain
• SIM
• Not used for much data these days apart from last Location Area Code
(LAC) and account info
• Can contain old, deleted data from previous phones
• SD Card
• Apart from the phone itself, probably the most important piece
• Full of media and app data, backups, etc.
• May contain data from previously-used phones
9. finding the data
• Service Provider’s Network
• Tower dumps, subscriber data, call-detail/data records (CDR), SMS,
MMS, data usage, web sites accessed, etc.
• CDRs continue to be a prime source of location and activity information;
must be obtained with proper legal authority
• Synced devices
• Chrome, iCloud, Firefox, OneDrive, Dropbox, e-mail accounts, etc.
• Can contain web histories, connected WiFi networks, calls, contacts, e-
mail, synced files, etc.
10. finding the data
• Phone
• Calls, contacts, messaging, e-mails, media, location data, account info
• Databases, logs, event histories, connection timelines
• Connected cells, WiFi nets, application usage history, network usage statistics,
synced Bluetooth devices…
• Basically the user’s entire life may be found on the phone
The importance of the phone data cannot be overestimated. In 2018, I can
personally guarantee that we will never see ALL the info on a device. There’s
simply too much of it.
11. phone extraction types
Logical
File System
Physical
Some data is
not always
recoverable
Extraction Copy using Mobile Forensics
is not necessarily a
Bit Stream Clone/Image as with Computer Forensics
What you see on the mobile
device screen is what you get –
Sometimes ?
Operating System
Files
Unallocated Area
Available Area for Digital Storage
12. logical extraction
• Were originally based on AT commands, talking to the internal modem
• Simple, what you see is what you get
• Relatively Fast (unless they have loads of media on the phone)
• Will recover no truly deleted data
• May recover “deleted” database entries (calls, chats, contacts, etc.)
• Excellent choice for a “quick look”
• Can be stymied by different versions of an OS or blocked/disabled USB ports
• For Android and others, usually requires the installation of an extraction client (APK)
• Usually not possible on a locked phone (passcode/pattern/PIN)
13. file-system extraction
• Usually “good enough” depending on the phone (Android)
• Depending on the phone, may or may not be possible
• Jailbroken iPhone, rooted Android
• Other OS… maybe, maybe not
• Analogous to copy-paste all files in the file system; no truly deleted items
• Can be blocked by security protocols in Android and iOS
• There are “lesser” file-system extractions
• Android Debug Bridge (ADB) Backup
• iTunes Backup
• Partial file system based on MTP vulnerabilities in Android
14. physical extraction
• This has always been the real goal: get ALL the data on the phone… all the 1s and 0s
• Analogous to a physical image (dd) of a hard drive
• Requires root permissions in Android; most of the time just a temp root
• After iPhone 4 is impossible (improbable?) in iOS devices
• Gives the examiner the possibly of recovering truly deleted data
• Media
• Deleted Files, not just DB entries
• Getting a full physical extraction of a device has sometimes been rather difficult
16. benefits of automated tools
• Widely used
• Well-funded and researched
• Faster
• Easier
• Require less technical expertise
• In most cases, you only need to follow the instructions
17. benefits of automated tools
• Besides providing the extraction of data from the mobile device,
these tools also do the decoding, or parsing of the data
automagically
• Analytical tools are also included
• Reporting tools are also included
• Customer support
• Clicky buttons
18. problems with automated tools
• When they don’t work, they don’t work
• If a device isn’t supported, then you may not be able to find support at all
for it
• It may be possible, but sometimes it’s difficult to figure out which other method may work
• They are, depending on your background and point of view, insanely
expensive
• Automated tools produce… and there is no nice way to put this… the
script kiddies of the mobile-forensics world
• They don’t exactly produce a “technically-advanced user” necessarily
• They don’t (and can’t) decode ALL the data on a phone
20. moving beyond automated tools
• Carving for deleted records in whatever format they happen to be in
• Parsing previously-unknown or unsupported apps for data (usually SQLite)
• How many apps exist for iOS and Android???
• Log Parsing
• Parsing binary files in burner phones (usually proprietary formats)
• Writing scripts to find data in the binary dump of a phone whose file
system can’t be reconstructed
• Correlating phone data with external sources (cell towers, wifi networks,
other geolocation data)
21. questions to ask
• Do I have all the data/evidence I need?
• What else do I need?
• In what format might it be stored?
• How can I convert it?
• Where can I put it?
• In the automated tool’s project tree
• CSV file?
• Database?
• External report?
• IS IT WORTH THE TIME???
22. • Timestamp formats
• GPS Epoch in BREW phones (feature phones)
• Unix, seconds, milliseconds, microseconds,
decimal, hex LE and BE…
• NSDates
• Mediatek
• Straight hexadecimal
• Flash memory storage characteristics
• ENCRYPTION!!
• File system
• Individual app files
• Different file types
• SQLite databases
• XML/JSON
• Proprietary DBs
• Straight Hex/Binary files
• Plists/proprietary logs
• Different Encodings
• 7-bit GSM alphabet data encoding (cheap
phones)
• ASCII vs. UTF-16 vs. UTF-8 vs. LE vs. BE
• Base64, Base32
• Reversed Nibbles
• Straight Hex Integer
phone data problems
23. phone data problems
There’s nothing quite like an IP
address represented in hex, changed
to Little-Endian, converted to a signed
decimal integer and stored as ASCII in
a SQLite DB along with other
connection attributes with a non-
descript entry name to make you lose
faith in humanity.
Seriously…?
0xCA21F10A -903745270 0A F1 21 CA 10:241:33:202
24. user data
• Calls
• Contacts
• Messaging
• Location data
• E-mails
• Paired devices
• WiFi networks
• Cookies, web history, videos, music, recordings, images, cell towers, account data, visited
web pages, bookmarks, notes, notifications, open apps, usage history, powering events,
network statistics, a compromising picture you took then deleted, etc….
25. how do we see the data?
• AccessData FTK Imager (free)
• http://marketing.accessdata.com/ftkimager4.2.0
• 7-zip (for some dd images and phone dumps)
• Autopsy and Sleuthkit (FOSS)
• Medusa Pro or Octoplus Pro Software (about 160 bucks)
• Cellebrite Physical Analyzer (paid)
• Oxygen Detective (paid)
• Magnet Axiom (paid)
30. What about Python?
• Case management, logs, moving files, blah, blah, blah
• Extracting data from SQLite databases for unsupported applications
• Parsing all the files of importance in “burner” phones
• They tend to not be well supported since they are VERY proprietary
• Phonebook, calls, SMS, device information, etc.
• Carving through unallocated space to find deleted remnants of things
• JSON, XML, logs, DB fragments...
• Carving through the binary dump of a phone that doesn’t parse at all (KMN)
• Standalone utilities for manual data decoding/searches/conversions/etc.
31. SQLite
• Easy
• Majority of apps in Android and iOS use SQLite
• Cellebrite and Magnet (Axiom) both have their own wrapper on sqlite3 to only
allow reads and no writes or “queries”. Every line of a table is read as a
dictionary. Dictionary keys are the column names.
• Whether I write something for Cellebrite or external to Cellebrite depends on
two things:
• Does Cellebrite have a category for the type of data?
• Who and what am I writing it for?
32. SQLite in Cellebrite
DB: macvendors.db
Table: macvendors
Columns: ‘mac’ and ‘vendor’
• Cellebrite’s SQLiteParser wants to
read every line by default.
• For most types of apps we want
every line.
• Calls
• Contacts
• Chats
• Messages
• Cell Towers
33. SQLite Strengths
• Standardized, used everywhere
• Analysis is relatively simple
• Tools abound to read and recover
data from SQLite DBs
• Once you’ve written one parser for a
messaging app, you can write another
with small modifications
• SQLite in Python is easy
34. BREW phone (every crappy flip phone)
• Proprietary file systems, app structures,
databases, etc.
• Not well supported by most mobile-
forensic tools
• Every model is different
• Very common to get a full physical
extraction but have no parsed data
• You have to either do everything manually
or write some stuff to parse it into a
presentable format
35. Carving
• It’s really just a regex/grep
• Certain data types have certain headers/signatures/footers on the data
• xFF xD8 xFF xE0 is one type of JPEG
• Can be done over a whole binary image or just the unallocated areas (possibly
deleted items)
• Depending on what you’re looking for you want, you may use re.search(),
re.findall(), or re.finditer()
• Data can then be exported to whatever file format you want or added to a
mobile-forensic tool’s data tree
39. modules/libraries I use
• os, sys, json, struct, binascii, base64, hashlib, argparse, time, datetime, re, etc…
• geopy – geolocation/geocoding, mapping, openstreetmaps, etc.
• simplekml – create KML files
• pygle – work with wigle.net
• requests, urllib2, tweepy – for grabbing thingies off the interwebz
• subprocess – running other programs, opening Google Earth instances, etc.
• sqlite3, csv
• pandas, matplotlib – chewing on data and plotting
40. online APIs I use
• wigle – wireless mapping, wardrving
• macvendors – OUI vs vendor/manufacturer
• Google Geolocation and Geocoding
• OpenStreetMaps, Nominatim from geopy
• opencellid.org (db download available)
• Mozilla Location Services (db download
available)
41. Summary
• There’s lots of data on phones in our futuristic world
• No product will be able to decode/parse all of it
• Python is cool and several mobile-forensics tools include a way to
extend functionality with Python
• We can use Python to decode/parse custom data types and
unsupported apps
• @ArdJect on Twitter
• kim@h11dfs.com for official things