STO STRATEGY, profile picture
Uploaded bySTO STRATEGY
PDF, PPTX554 views

Yury chemerkin _cyber_crime_forum_2012

This document summarizes the state of mobile forensics techniques. It discusses physical, logical, and manual acquisition methods as well as the types of data that can be extracted from mobile devices. It also covers challenges such as password protection, network connectivity during acquisition, and how both dead and live forensic techniques are used to gather evidence from mobile devices. Traditional forensic methods like log and file collection are described along with more modern techniques needed to investigate apps and address encryption. The conclusion emphasizes that mobile forensics is an evolving field where both dead and live approaches have value but new security features require continued innovation in methods.

Technology
Related topics:
Yury Chemerkin

Embed presentation

Download as PDF, PPTX
STATE-OF-ART OF MOBILE FORENSICS YURY CHEMERKIN SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
FORENSICS ACQUISITION METHODS METHODOLOGY METHODS  PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BYBIT COPY OF AN ENTIRE PHYSICAL STORE  LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT COPY OF LOGICAL STORAGE  MANUAL ACQUISITION TECHNIQUE IS UI UTILIZING TO GET PICTURES OF DATA FROM THE SCREEN. DATA TYPES  ALL AVAILABLE TYPES  ADDRESS BOOK/MESSAGES,  GEO/FILES/PASSWORD… ETC REALITY METHODS  COMMERCIALLY FORENSIC SOFTWARE TOOLS MANAGE WITH FULL COPY OF THE DEVICE DATA  BACKUP IS FULL COPY OF DEVICE BY NATIVE/VENDOR TOOLS OR APIs  SCREENSHOT EXTRACTION IS EASY IMPLEMENTED AND SOFTLY FOR THE RUN-DOWN BATTERY THAN PHOTO/VIDEO CAMERA DATA TYPES  UNKNOWN IS MISSED THROUGH IGNORANCE  SAVED MESSAGES/IMs  SOLID DB FILES REDUCE RAW ACQUISITION
NETWORK AND OTA ISOLATION TRADITION  GOAL:  PREVENTING DEVICE FROM ANY CHANGES INCL. MALWARE TRIGGERS  SOLUTION:  AIRPLANE MODE, FARADAY CAGE OR SIMILAR  SOME LIVE CASES PREVENT SYNC LAST CENTURY  COMPLEXITY FACTOR:  HANDY BLACKBERRY GUI (A COUPLE CLICKS)  OVERLADEN ANDROID GUI (VIA MENU  SETTINGS…)  ANDROID HOTKEYS DEPEND ON VENDOR
“PUSH” TECHNOLOGY DIFFERENCE BY IMPLEMENTATION (PROTOCOL): DIFFERENCE BY REALIZATION (USER EXPERIENCE):  BLACKBERRY SMARTPHONE – PROPR. PUSH + EXCHANGE  BLACKBERRY SMARTPHONE – TRUE PUSH IF ONLINE, QUICKLY RETRIEVE DATA IF WAS OFFLINE  BLACKBERRY TABLET – IMAP4, POP3 + EXCHANGE ACTIVESYNC  BLACKBERRY TABLET – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE  ANDROID – GOOGLE SYNC, IDLE, IMAP4, POP3 + EXCHANGE ACTIVESYNC  ANDROID – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NONINBOX/SENT FOLDER DATA IF WAS OFFLINE
PASSWORD PROTECTION AN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS  BLACKBERRY  ASCII PRINTABLE CHARACTERS – NOT ACCESSIBLE  CUSTOM CASES – WALLETS, DEVICE PASSWORD (ELCOMSOFT)  ANDROID  PATTERN LOCK – NEED ROOT ACCESS  PIN – NEED ROOT ACCESS  ASCII PRINTABLE CHARACTERS – NEED ROOT ACCESS
PASSWORD EXTRACTION AND BYPASSING DEAD FORENSICS SOLUTION  ELCOMSOFT SOLUTION FOR BLACKBERRY  BACKUP DATA, WALLET  DEVICE PASSWORD  PATTERN & PASSWORD LOCK VIA ROOT FILE ACCESS (ANDROID)  GESTURE.KEY, PC.KEY  TOUCH THE SCREEN TO PREVENT PASSWORD LOCKING LIVE FORENSICS SOLUTIONS  PREVENTION THE SCREEN LOCKING THROUGH THE APIs (ANDROID)  SCALED BUTTON PREVIEW VIA SCREENSHOT (ALMOST ALL/SETTINGS)  ASTERISKS HIDING DEALY (ALMOST ALL/SETTINGS)  DESKTOP SYNCHRONIZATION (BLACKBERRY)  FAKE WINDOW TO MISLEAD (ALL)
PASSWORD EXTRACTION AND BYPASSING
CLASSIC FORENSICS DEALING WITH EXPIRATION  GOAL – GATHERING LOGS, DUMPS, BACKUP, OTHER DATA  SOLUTION – SDK TOOLS OR SIMILAR  DATA:  LOGS INCL. Wi-Fi, DUMPS, EXE MODULES, SCREENSHOTS, DEVICE INFO (BLACKBERRY)  SPECIAL LOGGING MECHANISM INCL. EVENTS, CREDENTIALS, FAILURES (ANDROID)  BACKUP:  GRANULATED DATA + WALLET (BB SMARTPHONE)  APP DATA, MEDIA, SETTING (BB TABLET)  THIRD-PARTY SOLUTIONS DESPITE OF NATIVE BACKUP APIs (ANDROID) DEVICE & NETWORK LOG EXAMPLES             DEVICE INFORMATION PHYSICAL ADDRESS: E8:XX:XX:XX:XX:XX DEVICE OS: BLACKBERRY PLAYBOOK OS DEVICE PIN: 500XXXXX | OS VERSION: 2.0.1.668 IP ADDRESS: 192.168.1.31 | SUBNET MASK: 255.255.255.0 DEFAULT GATEWAY: 192.168.1.1 PRIMARY DNS: 192.168.1.1 | PROXY IP/PORT: WI-FI INFORMATION STATUS:CONNECTED | SECURITY TYPE:WPA2 PERS PROFILE NAME: XXXX | SSID: XXXX SIGNAL LEVEL: -41 DBM | TYPE: 802.11G/N CONNECTION DATA RATE: 65 MBPS
CLASSIC FORENSICS ANY DELAY LEAVE US FAR BEHIND  EXIF DATA  CAMERA MAKE  RIM/BLACKBERRY/ANDROID /HTC  CAMERA MODEL  DEVICE MODEL  OTHER EXIF DATA  EXPOSURE,  DIAPHRAGM OPENING,  FLASH, EXIF VERSION  GEO DATA  MEDIA FILE NAMES  IMG20120103-XXXX  GEO TAG AS CITY LIKE “MOSKVA”  VOICE NOTES  VN-20120319-XXXX.AMR / M4A WHERE “20120319” IS DATE WITH YYYY-MM-DD FORMATTING  VID-YYYYMMDD-XXXXXX.3GP / MP4
LIVE FORENSICS DEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARE  PRIVATE DATA - THROUGH THE API ONLY  BLACKBERRY CONTACT - EMAILS, CALL & RECENT HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.  ANDROID CONTACT - SQL DB PER VCARD, FB, TWITTER… COVERS DEAD CASES IN REAL-TIME  STORED IN SHARED FOLDERS INSTEAD SANDBOX (BLACKBERRY)  MESSAGE DATA STORED IN SQL DB INCL. MMS MEDIA ON “/DATA/DATA” PATH  /COM.ANDROID.PROVIDERS.TELEPHONY  MEDIA DATA - THROUGH API, SD-CARD  /COM.FACEBOOK/FB.DB  VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB…  CLIPBOARD  EXIF, FILENAME OFTEN INCLUDES EXIF & GEO  PASSWORD HAPPENS  MESSAGES AND IM CHATS - API, SD-CARD  WALLET DOES NOT PROTECT COPIED PASSWORD  IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)  GETCLIPBOARD(), GETDATA(), GETTEXT()  | SENDER ID | RECIPIENT ID | DATE | DATA
LIVE FORENSICS
CONCLUSION DEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT... LACK OF SIMULATION ENVIRONMENTS THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR EACH OTHER
THANK YOU YURY CHEMERKIN HAKIN9 MAGAZINE REPRESENTATIVE

More Related Content

PDF
(Pdf) yury chemerkin _confidence_2013
bySTO STRATEGY
 
PPS
Dios cercano, se disfraza, sorprende
byJosé de María Pinto Pinto
 
PDF
Luquin_linkedin
byJose Luquin
 
PDF
Social network privacy
bySTO STRATEGY
 
PPTX
Teknologi Inovasi Cheryl Ariella Wijaya
bycherylariel
 
PPTX
Slide nahu (2)
byIFFAH K.ANUAR
 
PDF
About reading
byErik Spencer
 
PDF
Google Analytics Report
byDrew West
 
(Pdf) yury chemerkin _confidence_2013
bySTO STRATEGY
 
Dios cercano, se disfraza, sorprende
byJosé de María Pinto Pinto
 
Luquin_linkedin
byJose Luquin
 
Social network privacy
bySTO STRATEGY
 
Teknologi Inovasi Cheryl Ariella Wijaya
bycherylariel
 
Slide nahu (2)
byIFFAH K.ANUAR
 
About reading
byErik Spencer
 
Google Analytics Report
byDrew West
 

Viewers also liked

PDF
Solo EPM
bySoloten
 
PDF
Solo Good Bye Money
bySoloten
 
PDF
Blackberry playbook – new challenges
bySTO STRATEGY
 
PDF
The black saturday disaster by jasi
byjlayt009
 
PPS
2 tazas de café
byJosé de María Pinto Pinto
 
PPS
Deseo
byJosé de María Pinto Pinto
 
PDF
HubSpot landing analysis
bySoloten
 
PPT
Statistics for Anaesthesiologists
byxeonfusion
 
PDF
(Pdf) yury chemerkin ita_2013
bySTO STRATEGY
 
PDF
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
PPT
Music documentary conventions
bygmisso33
 
PPS
23 verdades de la vida
byJosé de María Pinto Pinto
 
PPTX
Final Design Portfolio
bydeawou
 
PPTX
Costume & Props
bygmisso33
 
Solo EPM
bySoloten
 
Solo Good Bye Money
bySoloten
 
Blackberry playbook – new challenges
bySTO STRATEGY
 
The black saturday disaster by jasi
byjlayt009
 
2 tazas de café
byJosé de María Pinto Pinto
 
Deseo
byJosé de María Pinto Pinto
 
HubSpot landing analysis
bySoloten
 
Statistics for Anaesthesiologists
byxeonfusion
 
(Pdf) yury chemerkin ita_2013
bySTO STRATEGY
 
Why is password protection a fallacy a point of view
bySTO STRATEGY
 
Music documentary conventions
bygmisso33
 
23 verdades de la vida
byJosé de María Pinto Pinto
 
Final Design Portfolio
bydeawou
 
Costume & Props
bygmisso33
 

Similar to Yury chemerkin _cyber_crime_forum_2012

PDF
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
byYury Chemerkin
 
PDF
Comparison of android and black berry forensic techniques
bySTO STRATEGY
 
PDF
State of art of mobile forensics
bySTO STRATEGY
 
PDF
Comparison of android and black berry forensic techniques
byYury Chemerkin
 
PDF
BYOM Build Your Own Methodology (in Mobile Forensics)
byReality Net System Solutions
 
PDF
Mobile Forensics on a Shoestring Budget
byBrent Muir
 
PDF
YURY_CHEMERKIN__ICITST_2012_Conference.pdf
byYury Chemerkin
 
PDF
(Pdf) yury chemerkin _icitst_2012
bySTO STRATEGY
 
PPTX
Why cant all_data_be_the_same
bySkyler Lewis
 
PPTX
811719104102_Tamilmannavan S.pptx
byDEVIKAS92
 
PDF
Hacker Halted 2014 - EMM Limits & Solutions
byEC-Council
 
PDF
HackerHalted_Yury_Chemerkin_2014_Conference.pdf
byYury Chemerkin
 
PPTX
Mobile Forensics
byprimeteacher32
 
PDF
Ijmet 10 01_095
byIAEME Publication
 
PDF
Defcamp_2014_Conference_Yury_Chemerkin.pdf
byYury Chemerkin
 
PDF
(Pdf) yury chemerkin _null_con_2013
bySTO STRATEGY
 
PDF
6.3. How to get out of an inprivacy jail
bydefconmoscow
 
PDF
Mobile Forensic Webinar by Forensic Academy
byForensic Academy
 
PDF
Defeating spyware and forensics on the black berry draft
byidsecconf
 
PDF
Tisa mobile forensic
byPrathan Phongthiproek
 
YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
byYury Chemerkin
 
Comparison of android and black berry forensic techniques
bySTO STRATEGY
 
State of art of mobile forensics
bySTO STRATEGY
 
Comparison of android and black berry forensic techniques
byYury Chemerkin
 
BYOM Build Your Own Methodology (in Mobile Forensics)
byReality Net System Solutions
 
Mobile Forensics on a Shoestring Budget
byBrent Muir
 
YURY_CHEMERKIN__ICITST_2012_Conference.pdf
byYury Chemerkin
 
(Pdf) yury chemerkin _icitst_2012
bySTO STRATEGY
 
Why cant all_data_be_the_same
bySkyler Lewis
 
811719104102_Tamilmannavan S.pptx
byDEVIKAS92
 
Hacker Halted 2014 - EMM Limits & Solutions
byEC-Council
 
HackerHalted_Yury_Chemerkin_2014_Conference.pdf
byYury Chemerkin
 
Mobile Forensics
byprimeteacher32
 
Ijmet 10 01_095
byIAEME Publication
 
Defcamp_2014_Conference_Yury_Chemerkin.pdf
byYury Chemerkin
 
(Pdf) yury chemerkin _null_con_2013
bySTO STRATEGY
 
6.3. How to get out of an inprivacy jail
bydefconmoscow
 
Mobile Forensic Webinar by Forensic Academy
byForensic Academy
 
Defeating spyware and forensics on the black berry draft
byidsecconf
 
Tisa mobile forensic
byPrathan Phongthiproek
 

More from STO STRATEGY

PDF
(Pdf) yury chemerkin hackfest.ca_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin hacktivity_2013
bySTO STRATEGY
 
PDF
(Pptx) yury chemerkin hacker_halted_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin intelligence_sec_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin _ita_2013 proceedings
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin deep_intel_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin balccon_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin _ath_con_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin def_con_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin _i-society_2013
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin _i-society-2013 proceedings
bySTO STRATEGY
 
PDF
(Pdf) yury chemerkin info_securityrussia_2011
bySTO STRATEGY
 
PDF
Pen test career. how to begin
bySTO STRATEGY
 
PDF
AWS Security Challenges
bySTO STRATEGY
 
PDF
When developers api simplify user mode rootkits development – part ii
bySTO STRATEGY
 
PDF
Social network privacy.
bySTO STRATEGY
 
PDF
Interview with yury chemerkin
bySTO STRATEGY
 
PDF
To get round to the heart of fortress
bySTO STRATEGY
 
PDF
A security system that changed the world
bySTO STRATEGY
 
PDF
Is data secure on the password protected blackberry device
bySTO STRATEGY
 
(Pdf) yury chemerkin hackfest.ca_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin hacktivity_2013
bySTO STRATEGY
 
(Pptx) yury chemerkin hacker_halted_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin intelligence_sec_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin _ita_2013 proceedings
bySTO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin balccon_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin _ath_con_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin def_con_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin _i-society_2013
bySTO STRATEGY
 
(Pdf) yury chemerkin _i-society-2013 proceedings
bySTO STRATEGY
 
(Pdf) yury chemerkin info_securityrussia_2011
bySTO STRATEGY
 
Pen test career. how to begin
bySTO STRATEGY
 
AWS Security Challenges
bySTO STRATEGY
 
When developers api simplify user mode rootkits development – part ii
bySTO STRATEGY
 
Social network privacy.
bySTO STRATEGY
 
Interview with yury chemerkin
bySTO STRATEGY
 
To get round to the heart of fortress
bySTO STRATEGY
 
A security system that changed the world
bySTO STRATEGY
 
Is data secure on the password protected blackberry device
bySTO STRATEGY
 

Recently uploaded

PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPT
Introduction to Risk Based Inspection API-580 & 581
byumerfaiz99
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Introduction to Risk Based Inspection API-580 & 581
byumerfaiz99
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Designing a Blog Using Wordpress
bymarkzubi50
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
NTG - Data Center Management System Software
byMustafa Kuğu
 

Yury chemerkin _cyber_crime_forum_2012

  • 1.
    STATE-OF-ART OF MOBILEFORENSICS YURY CHEMERKIN SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
  • 2.
    FORENSICS ACQUISITION METHODS METHODOLOGY METHODS PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BYBIT COPY OF AN ENTIRE PHYSICAL STORE  LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT COPY OF LOGICAL STORAGE  MANUAL ACQUISITION TECHNIQUE IS UI UTILIZING TO GET PICTURES OF DATA FROM THE SCREEN. DATA TYPES  ALL AVAILABLE TYPES  ADDRESS BOOK/MESSAGES,  GEO/FILES/PASSWORD… ETC REALITY METHODS  COMMERCIALLY FORENSIC SOFTWARE TOOLS MANAGE WITH FULL COPY OF THE DEVICE DATA  BACKUP IS FULL COPY OF DEVICE BY NATIVE/VENDOR TOOLS OR APIs  SCREENSHOT EXTRACTION IS EASY IMPLEMENTED AND SOFTLY FOR THE RUN-DOWN BATTERY THAN PHOTO/VIDEO CAMERA DATA TYPES  UNKNOWN IS MISSED THROUGH IGNORANCE  SAVED MESSAGES/IMs  SOLID DB FILES REDUCE RAW ACQUISITION
  • 3.
    NETWORK AND OTAISOLATION TRADITION  GOAL:  PREVENTING DEVICE FROM ANY CHANGES INCL. MALWARE TRIGGERS  SOLUTION:  AIRPLANE MODE, FARADAY CAGE OR SIMILAR  SOME LIVE CASES PREVENT SYNC LAST CENTURY  COMPLEXITY FACTOR:  HANDY BLACKBERRY GUI (A COUPLE CLICKS)  OVERLADEN ANDROID GUI (VIA MENU  SETTINGS…)  ANDROID HOTKEYS DEPEND ON VENDOR
  • 4.
    “PUSH” TECHNOLOGY DIFFERENCE BYIMPLEMENTATION (PROTOCOL): DIFFERENCE BY REALIZATION (USER EXPERIENCE):  BLACKBERRY SMARTPHONE – PROPR. PUSH + EXCHANGE  BLACKBERRY SMARTPHONE – TRUE PUSH IF ONLINE, QUICKLY RETRIEVE DATA IF WAS OFFLINE  BLACKBERRY TABLET – IMAP4, POP3 + EXCHANGE ACTIVESYNC  BLACKBERRY TABLET – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE  ANDROID – GOOGLE SYNC, IDLE, IMAP4, POP3 + EXCHANGE ACTIVESYNC  ANDROID – INTERRUPTS BY STANDBY AND NETWORK, PASSWORD ASKING, LOST THE NONINBOX/SENT FOLDER DATA IF WAS OFFLINE
  • 5.
    PASSWORD PROTECTION AN ACCESSBY DESIGN DESPITE THE SECURITY IMPROVEMENTS  BLACKBERRY  ASCII PRINTABLE CHARACTERS – NOT ACCESSIBLE  CUSTOM CASES – WALLETS, DEVICE PASSWORD (ELCOMSOFT)  ANDROID  PATTERN LOCK – NEED ROOT ACCESS  PIN – NEED ROOT ACCESS  ASCII PRINTABLE CHARACTERS – NEED ROOT ACCESS
  • 6.
    PASSWORD EXTRACTION ANDBYPASSING DEAD FORENSICS SOLUTION  ELCOMSOFT SOLUTION FOR BLACKBERRY  BACKUP DATA, WALLET  DEVICE PASSWORD  PATTERN & PASSWORD LOCK VIA ROOT FILE ACCESS (ANDROID)  GESTURE.KEY, PC.KEY  TOUCH THE SCREEN TO PREVENT PASSWORD LOCKING LIVE FORENSICS SOLUTIONS  PREVENTION THE SCREEN LOCKING THROUGH THE APIs (ANDROID)  SCALED BUTTON PREVIEW VIA SCREENSHOT (ALMOST ALL/SETTINGS)  ASTERISKS HIDING DEALY (ALMOST ALL/SETTINGS)  DESKTOP SYNCHRONIZATION (BLACKBERRY)  FAKE WINDOW TO MISLEAD (ALL)
  • 7.
  • 8.
    CLASSIC FORENSICS DEALING WITHEXPIRATION  GOAL – GATHERING LOGS, DUMPS, BACKUP, OTHER DATA  SOLUTION – SDK TOOLS OR SIMILAR  DATA:  LOGS INCL. Wi-Fi, DUMPS, EXE MODULES, SCREENSHOTS, DEVICE INFO (BLACKBERRY)  SPECIAL LOGGING MECHANISM INCL. EVENTS, CREDENTIALS, FAILURES (ANDROID)  BACKUP:  GRANULATED DATA + WALLET (BB SMARTPHONE)  APP DATA, MEDIA, SETTING (BB TABLET)  THIRD-PARTY SOLUTIONS DESPITE OF NATIVE BACKUP APIs (ANDROID) DEVICE & NETWORK LOG EXAMPLES             DEVICE INFORMATION PHYSICAL ADDRESS: E8:XX:XX:XX:XX:XX DEVICE OS: BLACKBERRY PLAYBOOK OS DEVICE PIN: 500XXXXX | OS VERSION: 2.0.1.668 IP ADDRESS: 192.168.1.31 | SUBNET MASK: 255.255.255.0 DEFAULT GATEWAY: 192.168.1.1 PRIMARY DNS: 192.168.1.1 | PROXY IP/PORT: WI-FI INFORMATION STATUS:CONNECTED | SECURITY TYPE:WPA2 PERS PROFILE NAME: XXXX | SSID: XXXX SIGNAL LEVEL: -41 DBM | TYPE: 802.11G/N CONNECTION DATA RATE: 65 MBPS
  • 9.
    CLASSIC FORENSICS ANY DELAYLEAVE US FAR BEHIND  EXIF DATA  CAMERA MAKE  RIM/BLACKBERRY/ANDROID /HTC  CAMERA MODEL  DEVICE MODEL  OTHER EXIF DATA  EXPOSURE,  DIAPHRAGM OPENING,  FLASH, EXIF VERSION  GEO DATA  MEDIA FILE NAMES  IMG20120103-XXXX  GEO TAG AS CITY LIKE “MOSKVA”  VOICE NOTES  VN-20120319-XXXX.AMR / M4A WHERE “20120319” IS DATE WITH YYYY-MM-DD FORMATTING  VID-YYYYMMDD-XXXXXX.3GP / MP4
  • 10.
    LIVE FORENSICS DEVICE LIFECYCLE IS MORE THAN ITS SOFTWARE  PRIVATE DATA - THROUGH THE API ONLY  BLACKBERRY CONTACT - EMAILS, CALL & RECENT HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.  ANDROID CONTACT - SQL DB PER VCARD, FB, TWITTER… COVERS DEAD CASES IN REAL-TIME  STORED IN SHARED FOLDERS INSTEAD SANDBOX (BLACKBERRY)  MESSAGE DATA STORED IN SQL DB INCL. MMS MEDIA ON “/DATA/DATA” PATH  /COM.ANDROID.PROVIDERS.TELEPHONY  MEDIA DATA - THROUGH API, SD-CARD  /COM.FACEBOOK/FB.DB  VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB…  CLIPBOARD  EXIF, FILENAME OFTEN INCLUDES EXIF & GEO  PASSWORD HAPPENS  MESSAGES AND IM CHATS - API, SD-CARD  WALLET DOES NOT PROTECT COPIED PASSWORD  IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)  GETCLIPBOARD(), GETDATA(), GETTEXT()  | SENDER ID | RECIPIENT ID | DATE | DATA
  • 11.
  • 12.
    CONCLUSION DEAD AND LIVEFORENSICS BECOME WELL-ESTABLISHED BUT... LACK OF SIMULATION ENVIRONMENTS THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR EACH OTHER
  • 13.
    THANK YOU YURY CHEMERKIN HAKIN9MAGAZINE REPRESENTATIVE