SlideShare a Scribd company logo

Mobile Forensics on a Shoestring Budget

Brent Muir
Brent Muir

Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.

Technology
1 of 26
Download to read offline
MOBILE FORENSICS ON A SHOESTRING BUDGET Brent Muir - 2018
WHY?  Commercial mobile forensic suites are quite expensive  Many “automated” mobile forensic suites miss vital data  In-depth mobile forensic analysis will produce the best results  And teach you to be a better forensic analyst
WHAT YOU WILL LEARN  Device Acquisition (iOS & Android)  Lock Bypasses Methods  Working with databases  Recovering deleted records  3rd Party IM Decryption  WeChat  WhatsApp  Mobile Malware  Decompiling Mobile Applications  Protections from Mobile Malware
DEVICE ACQUISITION When we talk about mobile forensic acquisition there are a couple of methodologies Physical With Boot Loader / root / jail break Logical Logical with applet File System JTAG Chip-Off
DEVICE ACQUISITION - EXTRACTION METHODS LEVEL OF INVASIVENESS
MAGNET ACQUIRE  Allows acquisition of Android & iOS mobile devices  As well as HDs & USB mass storage devices  Physical & Logical acquisition methods available  Android:  Rooting is available for Android devices  For Logical acquisition runs an applet (as well as ADB backup)  iOS:  iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data  Full extraction for jailbroken devices
iTUNES BACKUPS  iOS device backups through Apple iTunes (Windows & OSX)  Windows Usersuser_nameAppDataRoamingApple ComputerMobileSyncBackup  OSX ~/Library/Application Support/MobileSync/Backup/  iTunes backups are ZIP archives  Can be extracted with commodity tools such as 7zip  Santoku also features an iPhone Backup Analyzer
Android Debug Bridge (ADB)  Can be used (with Developer Mode enabled) to create file system backup 1.adb start-server 2.adb devices 3.adb backup –apk –obb –shared –all  If device not jail broken/rooted does not grab all application databases/secure files  ADB available for OSX, Windows & Linux
LOCK BYPASSES  Santoku Linux features Android Brute Force Script for dealing with PIN locks  Android gesture lock bypass via ADB  Gesture pattern stored in /data/system/gesture.key adb shell rm /data/system/gesture.key  iPhone PIN bypass  Vulnerabilities in iOS that allow Siri to be used to get into device https://www.computerworld.com/article/3041302/security/4-new-ways-to- bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html  Depending on device/version of iOS brute-force scripts available for breaking PIN/passcode
APPLICATION DATABASES  Both Android and iOS operating systems rely on SQLite databases to store pertinent system data  Each installed application will also have a corresponding SQLite database, including web- browser applets  SQLite is an open source database format and there are many viewers available to examine the underlying table data  SQLiteQ  Firefox SQLite DB Viewer extension  SQLite Studio  SQLite Database files  Primary data file (.db)  Journal Files (.db-journal)  Write Ahead Logs (.db-wal)  Shared memory file (.db-shm)  indicates WAL mode
EXTRACTING THE MOST FROM DATABASES  Automated tools:  Only support some databases  Only examine some table data (not all tables)  Do not always examine WAL or Journal files  Example  Android device, automated forensics suite extracted data from Chrome History SQLite database, extracting data from “urls” table but had completely missed the “visits” table. Not only did this provide more records, it provided more metadata to report on (e.g. visit duration is only recorded in “visits” table).  Simple SQL Inner Join syntax will allow sensible data extraction from database  Chrome History  SELECT * FROM urls INNER JOIN visits ON urls.id = visits.id  Safari History  SELECT * FROM history_items INNER JOIN history_visits ON history_items.id = history_visits.history_item
RECOVERING DELETED RECORDS FROM DBS  Python scripts to recover deleted entries from main SQLite database files  Including GUI version, built with portable python  Perl script to recover deleted entries from .db-journal component of SQLite databases
3RD PARTY IM DECRYPTION - WECHAT  WeChat uses the SQLcipher encryption scheme to protect chat messages  EnMicroMsg.db stores messages/chat history  SQLcipher key is actually derived from IMEI of device and unique identifier (UIN) as registered with WeChat  UIN is the unique identifier that you can get from the system_config_prefs.xml file in the WeChat application folder  Calculate the MD5 hash of IMEI number followed by UIN, then use the first 7 characters as the SQLcipher key  E.g. if IMEI = 358711000000001 and UIN = 1234567890  Then calculate MD5 of 3587110000000011234567890  ee130f28c26387b09ce7c2ec2df21efc  First 7 digits are ee130f2  this is the SQLcipher key  Once decryption key generated the SQLite database can be decrypted with many tools, including SQLite Studio, where you can manually add the SQLcipher decryption key
3RD PARTY IM DECRYPTION - WHATSAPP  On Android devices WhatsApp backs up chat databases to SD card (if available) at /WhatsApp/Databases/msgstore.db.crypt  SQLite databases are encrypted but can be decrypted using the following methodology: 1. Enable ADB & USB debugging on device, connect device to computer 2. Run WhatsApp Key Extractor on computer  This will extract the decryption key from WhatsApp 3. Use WhatsApp Viewer to open encrypted database and provide the decryption key  This will generate a decrypted SQLite database that can be opened with any SQLite tool
MOBILE MALWARE  If fortunate enough to have a binary acquisition you can mount the file system to scan for malware  AccessData MPE has a similar functionality to FTK Imager that lets you mount these mobile forensic images and interpret the underlying file system  Once mounted can be scanned with 3rd party AV tools  Santoku also features Android & iOS file system support  YAFFEY for mounting/reading yaffs2  Various online mobile malware scanning services are available  NVISION ApkScan (API is available)  OPSWAT MetaDefender  If weary about uploading apps to these services, hash the APK/IPA and scan hashes in online service such as VirusTotal or MetaDefender
ONLINE MOBILE MALWARE SCANNERS
DECOMPILING MOBILE APPLICATIONS  Android APKs & iOs IPAs are just ZIP archives, can be opened with 7Zip or similar  To delve deeper into these apps you need to decompile/analyse them  Determine the permissions allowed by the application  Determine what remote communications are made by the application  Determine what functions are called by the application
DECOMPILING MOBILE APPLICATIONS – APK  AndroidManifest.xml  Contains permissions allowable by the application  Classes.dex is a Dalvik Executable file  Dex2Jar to convert to JAVA applet (JAR)  Included in Santoku Linux, but can downloaded for Windows  Converted JAR can be opened in 7Zip, analysed etc.  APKAnalyser – Sony Mobile (open source)Android APK analysing framework  Can also be decompiled/analysed in Radare
DECOMPILING MOBILE APPLICATIONS – IPA  IPAs are encrypted with Apple's FairPlay DRM, so you need to decrypt them before analysis Requires jail broken device  Clutch Used to decrypt IPA files  creates decrypted IPA file (ZIP archive) Needs to be run on the specific iOS device where the app is installed  Otool Can be used to inspect the binary, get a list of functions  Radare for dynamic analysis
PROTECTIONS FROM MOBILE MALWARE  Do not jail break or root your device  Do not allow unsigned apps to be installed (developer mode)  Only download/purchase apps from authorised/legitimate stores (Google Play, Apple App Store)  Pay attention to what you download/install, don't fall for lookalike apps  Threat actors will modify legitimate apps to inject them with malware MSFVenom APKinjector Xcode – bootleg integrated development environment (IDE) infecting iOS apps
MALICIOUS APPS IN APPLE APP STORE
MALICIOUS APPS IN GOOGLE PLAY STORE
RESOURCES / REFERENCES  OPSWAT MetaDefender – https://metadefender.opswat.com/  NVISO ApkScan – https://apkscan.nviso.be/  OWASP iOS Application Security Testing – https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet  Static Analysis of IPA Files – http://blog.dornea.nu/2014/10/29/howto-ios-apps-static-analysis/  Android malware analysis with Radare –https://www.nowsecure.com/blog/2016/11/21/android- malware-analysis-radare-triada-trojan/  Injecting Metasploit Payloads into Android Applications – https://pentestlab.blog/2017/03/13/injecting-metasploit-payloads-into-android-applications/  Python Script to recover deleted SQLite entries – http://az4n6.blogspot.com/2013/11/python- parser-to-recover-deleted-sqlite.html  iOS Triage – https://github.com/ahoog42/ios-triage/  Android SMS grep Perl Script - https://github.com/cheeky4n6monkey/4n6-scripts  http://cheeky4n6monkey.blogspot.com.au/2013/02/creating-perl-script-to-retrieve.html
TOOLS  Santoku Linux – http://santoku-linux.com  AccessData MPE – https://accessdata.com/products-services/mobile- solutions  Magnet Acquire – https://www.magnetforensics.com/acquire- community/  7Zip – http://www.7-zip.org/  DCode – http://www.digital-detective.net/digital-forensic-software/free- tools/  HashCalc – http://www.slavasoft.com/hashcalc/  Dex2Jar – https://sourceforge.net/projects/dex2jar/files/  iNalyzer – https://appsec-labs.com/iNalyzer/  SQLiteQ – http://www.mitec.cz/sqliteq.html  Radare – http://www.radare.org/r/  Clutch – https://github.com/KJCracks/Clutch  Otool – part of Xcode toolset https://developer.apple.com/xcode/  ApkAnalyzer – https://github.com/sonyxperiadev/ApkAnalyser  APKinjector – https://github.com/jbreed/apkinjector  ADB – https://developer.android.com/studio/command-line/adb.html  Python Script to recover deleted SQLite entries – https://github.com/mdegrazia/SQLite-Deleted-Records-Parser  Android SMS grep Perl Script - https://github.com/cheeky4n6monkey/4n6-scripts  SQLite Studio - https://sqlitestudio.pl/index.rvt  WhatsApp Key Extractor - https://github.com/EliteAndroidApps/WhatsApp-Key-DB-Extractor/  WhatsApp Viewer - https://github.com/andreas-mausch/whatsapp- viewer  iOS Restriction Bruteforce - https://github.com/thehappydinoa/iOSRestrictionBruteForce
Questions
SHOUT OUTS / THANKS @MagnetForensics @AccessData @Cheeky4n6Monkey @NowSecure @Ahoog42 @DigitalDetectiv @VirusTotal @NVISO_BE @radareorg @maridegrazia

Recommended

SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 SecurityJorge Orchilles
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 

Recommended

SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 SecurityJorge Orchilles
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfeGol D Roger
 
Windows Vista Security
Windows Vista SecurityWindows Vista Security
Windows Vista Securitysimplysuperb007
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensicPrathan Phongthiproek
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetPassreset
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Secudrive
SecudriveSecudrive
SecudriveInsight Information Technology
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Rootkit
RootkitRootkit
Rootkittech2click
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGene Carboni
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfCyber security professional services- Detox techno
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 

More Related Content

What's hot

Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfeGol D Roger
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetPassreset
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGene Carboni
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 

What's hot (20)

Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
 
Windows Vista Security
Windows Vista SecurityWindows Vista Security
Windows Vista Security
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password reset
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security Enhancements
 
Secudrive
SecudriveSecudrive
Secudrive
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Rootkit
RootkitRootkit
Rootkit
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File Systems
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 

Similar to Mobile Forensics on a Shoestring Budget

Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscapeAndrey Apuhtin
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
IT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam AnswersITExamAnswers.net
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveRaj Pratim Bhattacharya
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side AnalysisAadarsh N
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 

Similar to Mobile Forensics on a Shoestring Budget (20)

iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Apple threat-landscape
Apple threat-landscapeApple threat-landscape
Apple threat-landscape
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
IT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 12 Exam Answers
 
Mobile security
Mobile securityMobile security
Mobile security
 
MSR iOS Tranining
MSR iOS TraniningMSR iOS Tranining
MSR iOS Tranining
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspective
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 

More from Brent Muir

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security IssuesBrent Muir
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersBrent Muir
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 

More from Brent Muir (13)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Mobile Forensics on a Shoestring Budget

  • 1. MOBILE FORENSICS ON A SHOESTRING BUDGET Brent Muir - 2018
  • 2. WHY?  Commercial mobile forensic suites are quite expensive  Many “automated” mobile forensic suites miss vital data  In-depth mobile forensic analysis will produce the best results  And teach you to be a better forensic analyst
  • 3. WHAT YOU WILL LEARN  Device Acquisition (iOS & Android)  Lock Bypasses Methods  Working with databases  Recovering deleted records  3rd Party IM Decryption  WeChat  WhatsApp  Mobile Malware  Decompiling Mobile Applications  Protections from Mobile Malware
  • 4. DEVICE ACQUISITION When we talk about mobile forensic acquisition there are a couple of methodologies Physical With Boot Loader / root / jail break Logical Logical with applet File System JTAG Chip-Off
  • 5. DEVICE ACQUISITION - EXTRACTION METHODS LEVEL OF INVASIVENESS
  • 6. MAGNET ACQUIRE  Allows acquisition of Android & iOS mobile devices  As well as HDs & USB mass storage devices  Physical & Logical acquisition methods available  Android:  Rooting is available for Android devices  For Logical acquisition runs an applet (as well as ADB backup)  iOS:  iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data  Full extraction for jailbroken devices
  • 7. iTUNES BACKUPS  iOS device backups through Apple iTunes (Windows & OSX)  Windows Usersuser_nameAppDataRoamingApple ComputerMobileSyncBackup  OSX ~/Library/Application Support/MobileSync/Backup/  iTunes backups are ZIP archives  Can be extracted with commodity tools such as 7zip  Santoku also features an iPhone Backup Analyzer
  • 8. Android Debug Bridge (ADB)  Can be used (with Developer Mode enabled) to create file system backup 1.adb start-server 2.adb devices 3.adb backup –apk –obb –shared –all  If device not jail broken/rooted does not grab all application databases/secure files  ADB available for OSX, Windows & Linux
  • 9. LOCK BYPASSES  Santoku Linux features Android Brute Force Script for dealing with PIN locks  Android gesture lock bypass via ADB  Gesture pattern stored in /data/system/gesture.key adb shell rm /data/system/gesture.key  iPhone PIN bypass  Vulnerabilities in iOS that allow Siri to be used to get into device https://www.computerworld.com/article/3041302/security/4-new-ways-to- bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html  Depending on device/version of iOS brute-force scripts available for breaking PIN/passcode
  • 10. APPLICATION DATABASES  Both Android and iOS operating systems rely on SQLite databases to store pertinent system data  Each installed application will also have a corresponding SQLite database, including web- browser applets  SQLite is an open source database format and there are many viewers available to examine the underlying table data  SQLiteQ  Firefox SQLite DB Viewer extension  SQLite Studio  SQLite Database files  Primary data file (.db)  Journal Files (.db-journal)  Write Ahead Logs (.db-wal)  Shared memory file (.db-shm)  indicates WAL mode
  • 11. EXTRACTING THE MOST FROM DATABASES  Automated tools:  Only support some databases  Only examine some table data (not all tables)  Do not always examine WAL or Journal files  Example  Android device, automated forensics suite extracted data from Chrome History SQLite database, extracting data from “urls” table but had completely missed the “visits” table. Not only did this provide more records, it provided more metadata to report on (e.g. visit duration is only recorded in “visits” table).  Simple SQL Inner Join syntax will allow sensible data extraction from database  Chrome History  SELECT * FROM urls INNER JOIN visits ON urls.id = visits.id  Safari History  SELECT * FROM history_items INNER JOIN history_visits ON history_items.id = history_visits.history_item
  • 12. RECOVERING DELETED RECORDS FROM DBS  Python scripts to recover deleted entries from main SQLite database files  Including GUI version, built with portable python  Perl script to recover deleted entries from .db-journal component of SQLite databases
  • 13. 3RD PARTY IM DECRYPTION - WECHAT  WeChat uses the SQLcipher encryption scheme to protect chat messages  EnMicroMsg.db stores messages/chat history  SQLcipher key is actually derived from IMEI of device and unique identifier (UIN) as registered with WeChat  UIN is the unique identifier that you can get from the system_config_prefs.xml file in the WeChat application folder  Calculate the MD5 hash of IMEI number followed by UIN, then use the first 7 characters as the SQLcipher key  E.g. if IMEI = 358711000000001 and UIN = 1234567890  Then calculate MD5 of 3587110000000011234567890  ee130f28c26387b09ce7c2ec2df21efc  First 7 digits are ee130f2  this is the SQLcipher key  Once decryption key generated the SQLite database can be decrypted with many tools, including SQLite Studio, where you can manually add the SQLcipher decryption key
  • 14. 3RD PARTY IM DECRYPTION - WHATSAPP  On Android devices WhatsApp backs up chat databases to SD card (if available) at /WhatsApp/Databases/msgstore.db.crypt  SQLite databases are encrypted but can be decrypted using the following methodology: 1. Enable ADB & USB debugging on device, connect device to computer 2. Run WhatsApp Key Extractor on computer  This will extract the decryption key from WhatsApp 3. Use WhatsApp Viewer to open encrypted database and provide the decryption key  This will generate a decrypted SQLite database that can be opened with any SQLite tool
  • 15. MOBILE MALWARE  If fortunate enough to have a binary acquisition you can mount the file system to scan for malware  AccessData MPE has a similar functionality to FTK Imager that lets you mount these mobile forensic images and interpret the underlying file system  Once mounted can be scanned with 3rd party AV tools  Santoku also features Android & iOS file system support  YAFFEY for mounting/reading yaffs2  Various online mobile malware scanning services are available  NVISION ApkScan (API is available)  OPSWAT MetaDefender  If weary about uploading apps to these services, hash the APK/IPA and scan hashes in online service such as VirusTotal or MetaDefender
  • 17. DECOMPILING MOBILE APPLICATIONS  Android APKs & iOs IPAs are just ZIP archives, can be opened with 7Zip or similar  To delve deeper into these apps you need to decompile/analyse them  Determine the permissions allowed by the application  Determine what remote communications are made by the application  Determine what functions are called by the application
  • 18. DECOMPILING MOBILE APPLICATIONS – APK  AndroidManifest.xml  Contains permissions allowable by the application  Classes.dex is a Dalvik Executable file  Dex2Jar to convert to JAVA applet (JAR)  Included in Santoku Linux, but can downloaded for Windows  Converted JAR can be opened in 7Zip, analysed etc.  APKAnalyser – Sony Mobile (open source)Android APK analysing framework  Can also be decompiled/analysed in Radare
  • 19. DECOMPILING MOBILE APPLICATIONS – IPA  IPAs are encrypted with Apple's FairPlay DRM, so you need to decrypt them before analysis Requires jail broken device  Clutch Used to decrypt IPA files  creates decrypted IPA file (ZIP archive) Needs to be run on the specific iOS device where the app is installed  Otool Can be used to inspect the binary, get a list of functions  Radare for dynamic analysis
  • 20. PROTECTIONS FROM MOBILE MALWARE  Do not jail break or root your device  Do not allow unsigned apps to be installed (developer mode)  Only download/purchase apps from authorised/legitimate stores (Google Play, Apple App Store)  Pay attention to what you download/install, don't fall for lookalike apps  Threat actors will modify legitimate apps to inject them with malware MSFVenom APKinjector Xcode – bootleg integrated development environment (IDE) infecting iOS apps
  • 21. MALICIOUS APPS IN APPLE APP STORE
  • 22. MALICIOUS APPS IN GOOGLE PLAY STORE
  • 23. RESOURCES / REFERENCES  OPSWAT MetaDefender – https://metadefender.opswat.com/  NVISO ApkScan – https://apkscan.nviso.be/  OWASP iOS Application Security Testing – https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet  Static Analysis of IPA Files – http://blog.dornea.nu/2014/10/29/howto-ios-apps-static-analysis/  Android malware analysis with Radare –https://www.nowsecure.com/blog/2016/11/21/android- malware-analysis-radare-triada-trojan/  Injecting Metasploit Payloads into Android Applications – https://pentestlab.blog/2017/03/13/injecting-metasploit-payloads-into-android-applications/  Python Script to recover deleted SQLite entries – http://az4n6.blogspot.com/2013/11/python- parser-to-recover-deleted-sqlite.html  iOS Triage – https://github.com/ahoog42/ios-triage/  Android SMS grep Perl Script - https://github.com/cheeky4n6monkey/4n6-scripts  http://cheeky4n6monkey.blogspot.com.au/2013/02/creating-perl-script-to-retrieve.html
  • 24. TOOLS  Santoku Linux – http://santoku-linux.com  AccessData MPE – https://accessdata.com/products-services/mobile- solutions  Magnet Acquire – https://www.magnetforensics.com/acquire- community/  7Zip – http://www.7-zip.org/  DCode – http://www.digital-detective.net/digital-forensic-software/free- tools/  HashCalc – http://www.slavasoft.com/hashcalc/  Dex2Jar – https://sourceforge.net/projects/dex2jar/files/  iNalyzer – https://appsec-labs.com/iNalyzer/  SQLiteQ – http://www.mitec.cz/sqliteq.html  Radare – http://www.radare.org/r/  Clutch – https://github.com/KJCracks/Clutch  Otool – part of Xcode toolset https://developer.apple.com/xcode/  ApkAnalyzer – https://github.com/sonyxperiadev/ApkAnalyser  APKinjector – https://github.com/jbreed/apkinjector  ADB – https://developer.android.com/studio/command-line/adb.html  Python Script to recover deleted SQLite entries – https://github.com/mdegrazia/SQLite-Deleted-Records-Parser  Android SMS grep Perl Script - https://github.com/cheeky4n6monkey/4n6-scripts  SQLite Studio - https://sqlitestudio.pl/index.rvt  WhatsApp Key Extractor - https://github.com/EliteAndroidApps/WhatsApp-Key-DB-Extractor/  WhatsApp Viewer - https://github.com/andreas-mausch/whatsapp- viewer  iOS Restriction Bruteforce - https://github.com/thehappydinoa/iOSRestrictionBruteForce
  • 26. SHOUT OUTS / THANKS @MagnetForensics @AccessData @Cheeky4n6Monkey @NowSecure @Ahoog42 @DigitalDetectiv @VirusTotal @NVISO_BE @radareorg @maridegrazia