More Related Content
Similar to Via forensics thotcon-2013-mobile-security-with-santoku-linux
Similar to Via forensics thotcon-2013-mobile-security-with-santoku-linux (20)
Via forensics thotcon-2013-mobile-security-with-santoku-linux
- 1. *
© Copyright 2013 viaForensics, LLC. Proprietary Information.
Mobile security, forensics & malware
analysis with Santoku Linux
- 2. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
IN MEMORY OF
Alois Charles Hoog, Sr.
(1920 - 2013)
Husband
Father of 5
Grandfather of 12
Great Grandfather of 9
United States Army Air Corps (Retired)
And a true Master Craftsman
that any Geek
would be proud to call Grandpa
We will miss you dearly.
- 3. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
PRESENTER
Andrew Hoog (CEO/Co-Founder)
Andrew is a published author, computer scientist, and mobile
forensic/security researcher. He has several patents pending and does
frequent presentations/briefings.
Additionally
He participated in many hack(y sack) circles in college instead of classes
- 4. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
VIAFORENSICS OVERVIEW
viaForensics is a mobile security company
founded in 2009.
Bootstrapped with ~40 employees and a
10 person dedicated mobile security R&D team
Some of our f/oss:
YAFFS2 in TSK
AFLogical OSE
Santoku Linux
...
- 6. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
SANTOKU - WHY?
Desktop PC
Portable PC
Tablet
Smartphone
# Units Shipped
(millions)
2012
Total: 1,201.1
2017 (Projected)
Total: 2,250.3
1600
1200
700
200
- 8. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
SANTOKU - HOW?
—
Install Lubuntu 12.04 (precise) x86_64
—
Santoku-ize it
- 9. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
You should get (after reboot)
- 10. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
A Different Kind of Hacking
- 11. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
The History of Footbag
The concept behind footbag – intercepting an
object in flight and keeping it airborne by using all
parts of the body except the hands and arms is
not a new idea.
Rather, as surprising as it may seem, the roots of
our modern-day kicking game are to be found in
ancient Eastern cultures.
Shown here are people playing Sepak Takraw in
the streets of Malaysia.
- 13. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
FORENSIC ACQUISITION TYPES
Logical File system Physical
Description
Read device data via backup, API or other
controlled access to data
Use cases
Fast
Data generally well structured
Challenges
Often very limited access to data
Usually requires unlocked passcode
Description
Copy of files of file system
Use cases
More data than logical
Re-creating encrypted file system
Challenges
Requires additional access to device
Many file system files not responsive on
cases
Description
Bit-by-bit copy of physical drive
Use cases
Most forensically sound technique
Increases chance of deleted data
recovery
Challenges
Cannot pull hard drive on mobile devices
FTL may not provide bad blocks
- 14. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
iOS Logical
—
Connect device (enter PIN if needed)
—
ideviceback2 backup <backup dir>
—
ideviceback2 unback <backup dir>
—
View backup|unpacked backup
- 16. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
iPhone Backup Analyzer
- 17. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
The History of Footbag
While the co-operative kicking sport has ancient origins from China, Thailand,
Native America and nearly every country. Hacky Sack or Footbag, as we know
it today, is a modern American sport invented in 1972, by John Stalberger and
Mike Marshall of Oregon City, Oregon.
Marshall had created a hand-made bean bag, that he was kicking around.
Stalberger was recovering from knee surgery and was looking for a fun way to
exercise his knees.
Together, they called the new game "Hackin' the Sack." The two decided to
collaborate and market their new game under the trademark of "Hacky Sack®".
Mike Marshall died of a heart attack in 1975, at the age of twenty-eight. John
Stalberger continued with the "Hacky Sack" cause and formed the National
Hacky Sack Association. He later sold the rights for the Hacky Sack® Footbag
to Kransco (operating under the Wham-O label), which also manufactured the
Frisbee flying disc.
- 18. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Android Logical
—
AFLogical OSE
https://github.com/viaforensics/android-forensics
—
Reads Content Providers
—
Push to phone, run, store on SD Card
—
Pull CSVs to Santoku for review
- 20. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Install, run, extract
- 21. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
The Benefits of Hacking to Hackers
What do most hackers do while they're
hacking?
They sit!
You don't need a Ph.D in physiology or
biomechanics to know that spending 8-16 hours
in a chair is bad for you.
- 22. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
The Benefits of Hacking to Hackers
Hacky Sack:
Is Cooperative {much more fun in groups}
Is Legit Exercise {it will get your blood flowing}
Improves overall coordination
Can be played almost anywhere
Requires virtually no equipment other than sack
- 25. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Category # apps reviewed
Finance 10
Lifestyle 11
Productivity 6
Travel 5
Social Networking 6
Security 6
Other 6
APP SELECTION
Apps were selected based on popularity, number of
downloads, or potential sensitivity of data
Approximately 50 apps have been reviewed
and organized into categories
- 26. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
APP TESTING RESULTS
% With Issues
100%
~80%
~30%
~50%
~15%
Stored Username
Stored Password
Medium or High Risk
Failed MITM
Stored
Username
Stored
Password
Other
Risks
Failed
MiTM
- 28. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
The "Rules" of Hacking
1. Cannot serve to self
2. Cannot say, "Sorry"
3. Cannot use hands
A Hack is one complete time
around circle
- 29. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO
—
Business and personal task management app
iOS and Android
—
Millions of users
—
Many vulnerabilities, no response from company
—
https://viaforensics.com/mobile-security/security-vulnerabilities-anydo-android.html
- 30. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Forensics
—
Locate Any.DO app directory
<path-to-backup>/var/mobile/Applications/com.anydo.AnyDO
—
Examine binary plist file (Library/Preferences)
file com.anydo.AnyDO.plist -> Apple binary property list
—
Convert binary plist
plutil -i com.anydo.AnyDO.plist -o com.anydo.AnyDO.plist.xml
—
vi com.anydo.AnyDO.plist.xml
- 31. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Forensics
- 32. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Memory
—
SSH into iPhone
iproxy ; ssh
—
Find app PID
ps -ef | grep <app-name>
—
Dump RAM using gdb
Script to extract RAM
—
Extract and analyze
scp ; grep
- 33. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Memory
- 34. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
The Kicks and Tricks
- 35. *
© Copyright 2013 viaForensics, LLC. Proprietary Information.
MOBILE
MALWARE
ANALYSIS
- 36. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
Bad News
—
Android Malware, masquerades as an innocent advertising network
—
Packaged in many legitimate apps, usually targeting the Russian market
—
Has ability to download additional apps, and prompts the user to install them, posing
as "Critical Updates". Uses this mechanism to spread known malware, typically
Premium Rate SMS fraud.
—
For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-
bearer-of-badnews-malware-google-play/
- 37. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
apktool
—
apktool is a tool for reverse engineering Android apk, it disassembles the code to .smali files, decoding also the
resources contained into the apk.
—
It can also repackage the applications after you have modified them.
—
We can run it on a Badnews sample:
—
$ apktool d ru.blogspot.playsib.savageknife.apk savage_knife_apktool/
I: Baksmaling...
I: Loading resource table...
I: Loaded.
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/santoku/apktool/framework/1.apk
I: Loaded.
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Done.
I: Copying assets and libs…
Source: https://code.google.com/p/android-apktool/
- 38. *
© Copyright 2013 viaForensics, LLC. Proprietary Information.
apktool -> smali
—
We can grep for known sensible method calls and strings
—
$ grep -R getDeviceId .
./smali/com/mobidisplay/advertsv1/AdvService.smali: invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
—
$ grep -R BOOT_COMPLETED .
./AndroidManifest.xml: <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
./AndroidManifest.xml: <action android:name="android.intent.action.BOOT_COMPLETED" />
./smali/com/mobidisplay/advertsv1/BootReceiver.smali: const-string v2, "android.intent.action.BOOT_COMPLETED"
- 39. *
© Copyright 2013 viaForensics, LLC. Proprietary Information.
apktool -> smali
—
We can manually analyze
the disassembled smali
code provided by apktool.
—
For example here we see a
broadcast receiver that will
listen for
BOOT_COMPLETED
intents and react to them
starting a service in the
application.
- 40. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
BadNews Malware Sample -> Dex2Jar -> JD-GUI
Contagio MiniDump
Malware Repository
contagiominidump.blogspot.com
- 41. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
A LITTLE HELP, PLEASE.
—
HOWTOs
—
New/existing tool development
—
.deb package maintenance
—
Forums, spreading the word
- 42. *© Copyright 2013 viaForensics, LLC. Proprietary Information.
https://santoku-linux.com
@SantokuLinux
@viaForensics
DON'T PANIC