Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
2. WHY?
Commercial mobile forensic suites are quite
expensive
Many “automated” mobile forensic suites miss
vital data
In-depth mobile forensic analysis will produce the
best results
And teach you to be a better forensic analyst
3. WHAT YOU WILL LEARN
Device Acquisition (iOS & Android)
Lock Bypasses Methods
Working with databases
Recovering deleted records
3rd Party IM Decryption
WeChat
WhatsApp
Mobile Malware
Decompiling Mobile Applications
Protections from Mobile Malware
4. DEVICE ACQUISITION
When we talk about mobile forensic acquisition there are
a couple of methodologies
Physical
With Boot Loader / root / jail break
Logical
Logical with applet
File System
JTAG
Chip-Off
6. MAGNET ACQUIRE
Allows acquisition of Android & iOS mobile devices
As well as HDs & USB mass storage devices
Physical & Logical acquisition methods available
Android:
Rooting is available for Android devices
For Logical acquisition runs an applet (as well as ADB backup)
iOS:
iTunes backup, with some additional acquisition techniques, to obtain both
native and third-party data
Full extraction for jailbroken devices
7. iTUNES BACKUPS
iOS device backups through Apple iTunes (Windows & OSX)
Windows
Usersuser_nameAppDataRoamingApple ComputerMobileSyncBackup
OSX
~/Library/Application Support/MobileSync/Backup/
iTunes backups are ZIP archives
Can be extracted with commodity tools such as 7zip
Santoku also features an iPhone Backup Analyzer
8. Android Debug Bridge (ADB)
Can be used (with Developer Mode enabled) to create file system
backup
1.adb start-server
2.adb devices
3.adb backup –apk –obb –shared –all
If device not jail broken/rooted does not grab all application
databases/secure files
ADB available for OSX, Windows & Linux
9. LOCK BYPASSES
Santoku Linux features Android Brute Force Script for dealing with PIN locks
Android gesture lock bypass via ADB
Gesture pattern stored in /data/system/gesture.key
adb shell rm /data/system/gesture.key
iPhone PIN bypass
Vulnerabilities in iOS that allow Siri to be used to get into device
https://www.computerworld.com/article/3041302/security/4-new-ways-to-
bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html
Depending on device/version of iOS brute-force scripts available for breaking
PIN/passcode
10. APPLICATION DATABASES
Both Android and iOS operating systems rely on SQLite databases to store pertinent system
data
Each installed application will also have a corresponding SQLite database, including web-
browser applets
SQLite is an open source database format and there are many viewers available to
examine the underlying table data
SQLiteQ
Firefox SQLite DB Viewer extension
SQLite Studio
SQLite Database files
Primary data file (.db)
Journal Files (.db-journal)
Write Ahead Logs (.db-wal)
Shared memory file (.db-shm) indicates WAL mode
11. EXTRACTING THE MOST FROM DATABASES
Automated tools:
Only support some databases
Only examine some table data (not all tables)
Do not always examine WAL or Journal files
Example
Android device, automated forensics suite extracted data from Chrome History SQLite database, extracting
data from “urls” table but had completely missed the “visits” table. Not only did this provide more records, it
provided more metadata to report on (e.g. visit duration is only recorded in “visits” table).
Simple SQL Inner Join syntax will allow sensible data extraction from database
Chrome History
SELECT * FROM urls INNER JOIN visits ON urls.id = visits.id
Safari History
SELECT * FROM history_items INNER JOIN history_visits ON history_items.id = history_visits.history_item
12. RECOVERING DELETED RECORDS FROM DBS
Python scripts to recover deleted entries from main
SQLite database files
Including GUI version, built with portable python
Perl script to recover deleted entries from .db-journal
component of SQLite databases
13. 3RD PARTY IM DECRYPTION - WECHAT
WeChat uses the SQLcipher encryption scheme to protect chat messages
EnMicroMsg.db stores messages/chat history
SQLcipher key is actually derived from IMEI of device and unique identifier (UIN) as
registered with WeChat
UIN is the unique identifier that you can get from the system_config_prefs.xml file in the
WeChat application folder
Calculate the MD5 hash of IMEI number followed by UIN, then use the first 7 characters as
the SQLcipher key
E.g. if IMEI = 358711000000001 and UIN = 1234567890
Then calculate MD5 of 3587110000000011234567890
ee130f28c26387b09ce7c2ec2df21efc
First 7 digits are ee130f2 this is the SQLcipher key
Once decryption key generated the SQLite database can be decrypted with
many tools, including SQLite Studio, where you can manually add the SQLcipher
decryption key
14. 3RD PARTY IM DECRYPTION - WHATSAPP
On Android devices WhatsApp backs up chat databases to SD card (if available) at
/WhatsApp/Databases/msgstore.db.crypt
SQLite databases are encrypted but can be decrypted using the following methodology:
1. Enable ADB & USB debugging on device, connect device to computer
2. Run WhatsApp Key Extractor on computer
This will extract the decryption key from WhatsApp
3. Use WhatsApp Viewer to open encrypted database and provide the decryption key
This will generate a decrypted SQLite database that can be opened with any SQLite tool
15. MOBILE MALWARE
If fortunate enough to have a binary acquisition you can mount the file system to scan for
malware
AccessData MPE has a similar functionality to FTK Imager that lets you mount these mobile
forensic images and interpret the underlying file system
Once mounted can be scanned with 3rd party AV tools
Santoku also features Android & iOS file system support
YAFFEY for mounting/reading yaffs2
Various online mobile malware scanning services are available
NVISION ApkScan (API is available)
OPSWAT MetaDefender
If weary about uploading apps to these services, hash the APK/IPA and scan hashes in
online service such as VirusTotal or MetaDefender
17. DECOMPILING MOBILE APPLICATIONS
Android APKs & iOs IPAs are just ZIP archives, can be opened with
7Zip or similar
To delve deeper into these apps you need to decompile/analyse
them
Determine the permissions allowed by the application
Determine what remote communications are made by the
application
Determine what functions are called by the application
18. DECOMPILING MOBILE APPLICATIONS – APK
AndroidManifest.xml
Contains permissions allowable by the application
Classes.dex is a Dalvik Executable file
Dex2Jar to convert to JAVA applet (JAR)
Included in Santoku Linux, but can downloaded for Windows
Converted JAR can be opened in 7Zip, analysed etc.
APKAnalyser – Sony Mobile (open source)Android APK analysing
framework
Can also be decompiled/analysed in Radare
19. DECOMPILING MOBILE APPLICATIONS – IPA
IPAs are encrypted with Apple's FairPlay DRM, so you need to
decrypt them before analysis
Requires jail broken device
Clutch
Used to decrypt IPA files creates decrypted IPA file (ZIP archive)
Needs to be run on the specific iOS device where the app is installed
Otool
Can be used to inspect the binary, get a list of functions
Radare for dynamic analysis
20. PROTECTIONS FROM MOBILE MALWARE
Do not jail break or root your device
Do not allow unsigned apps to be installed (developer mode)
Only download/purchase apps from authorised/legitimate stores
(Google Play, Apple App Store)
Pay attention to what you download/install, don't fall for lookalike
apps
Threat actors will modify legitimate apps to inject them with malware
MSFVenom
APKinjector
Xcode – bootleg integrated development environment (IDE) infecting iOS apps