Post on 29-Jul-2015
transcript
how the Police investigates
your Device ?
2015.06.04 Droidcon Berlin, MARIUS MAILAT
Android forensics
Who is Marius?
CTO - APPsrise->winner of best of mobile award 20141
2
3
4
since 2015 Google Developer Expert - android
trained over 500 developerS on android topics
FOUNDER of ANDROID DEVELOPER COMMUNITY - ANDROIDER
Agenda
Agenda
MOTIVATION, why this crazy topic?1
2
3
4
ANDROID INTERNAL PLATFORM.
ANDROID FORENSICS - HOW TO extract DATA.
ANDROID ANTi-forensics - How to protect your data.
Why this
CRAZYtopic?
I STILL CODE ANDROID
Android TV
Android AUTO
ANDROID IN DIGITAL SIGNAGE
Android WEAR
Still not convinced?
Hero of the day: MEIZU MX3 DEVICE
amazing CHINA
8 Million PREORDERS
CLAIMSOrigin DESCRIPTIONpopular Android phone BASED on FLYME OS
The phone is sniffing THE WEB TRAFFICSinMEIZU MX APPS sins
XXX: https://member.meizu.com/oauth/access_tokenXXX: x_auth_sn=351BBJJWLZW3&x_auth_mode=sn_authXXX: oauth_token=2d736772c19b250f28dad1090e9b761013089651489596881& oauth_token_secret=86b4a5920134018a52e00814e2303d51&user_id=323817928371&user_name=MariusMailat&new_user=true&flyme=null&isWeak=falseXXX: { "reply":[{"categoryType":0,"id":40002,"imageURL":"http://music.res.meizu.com/fileserver/music_category/12/a1131fd54d174297af1b9ae4a2282546.png","isLeaf":0,"layout":5,"name":"Top Show","numPer":null,"order":100,"resType":1,"resURL":null,"subCategoryCount":0},{"categoryType":0,"id":40013,"imageURL":"http://
XXX: http://open.duomi.com/open/library/suggestion?query=Metal&lc=B9D2DCFA01526C54&conn=wifiXXX: {"dm_error":0,"error_msg":"操作成功","s":["metallica","metallica fade to black",XXX: http://collect.music.meizu.com/service/api/syncPlayList.jsonp updateNanoTime=0&playlist=%5B%5DXXX: { "reply":{"code":200,"message":null,"redirect":null,"value":[{"bigCoverUrl":null,"coverUrl":null,"createTime":new Date(1401834057906),“descriptor":"","entityLastUpdate":0,"hot":0,"id":1521299, „lastPublishTime“:null,"midCoverUrl":null,"name":"我的爱", „nickName":"MariusMailat"
Android Internal
Platform
Object-oriented OSBINDERInitially developed for BeOS later used by Palm (which acquired BeOS)Most of Android infrastructure (services) is supported by BinderBinder is lightweight and high-performanceBound services are "garbage collected" when no longer in useRemote (service) method calls are synchronous (feels like just a function call, even though it’s IPC)Services defined/exposed via AIDL
Anonymous Shared MemoryAshmemReference-counted, virtually mapped, named memory block that is shared between processes that the kernel is allowed to freeSimilar to POSIX SHM but with different behavior and a simpler file-based API (POSIX SHM does not allow the kernel to free shared memory)Android uses ashmem to share resources to minimize redundancy across processesKernel can discard unused shared blocks of memory when under pressureRepresented in the Java layer as android.os.MemoryFile
Anonymous SHared MEMoryAshmemint size = 4096;int fd = ashmem_create_region("MySharedRegionName", size);if (fd > 0) { data = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if(data != MAP_FAILED) { /* for security reasons, no other process can ashmem_create_region() with the same name */ /* instead, to share this memory, we send fd via Binder IPC to another process */ /* that process then mmap()'s it the same way in order to access the shared memory */ }}
ANDROID INIT STARTUP
ANDROID INIT STARTUPAfter kernel loading the process 1 (/init) is createdStarts ueventdInitializes the system clock and loggerSets up global environmentSets up the file system (mount points and symbolic links)Configures kernel timeouts and schedulerConfigures process groupsCreates a basic directory structure on /data and applies permissionsApplies permissions on /cacheApplies permissions on certain /proc pointsInitializes local network (i.e. localhost)Configures the parameters for the low memory killerApplies permissions for system_server and daemonsDefines TCP buffer sizes for various networksConfigures and (optionally) loads various daemons (i.e. services): ueventd, console, adbd, servicemanager, vold, netd, debuggerd, rild, zygote (which in turn starts system_server), mediaserver, bootanimation (one time), and various Bluetooth daemons (like dbus-daemon, bluetoothd, etc.), installd, racoon, mtpd, keystore
Bored already?
ANDROID CONFERENCE DIALERQ1: Pavel, Write your own dialer with conference in 1 click
Response: Not really so easy doable BUT again for everything it is a way maybe?
via https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/InCallPresenter.java
CallCommandClient.getInstance().merge();
brings you to https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/CallCommandClient.java
and this is using the aidl https://android.googlesource.com/platform/packages/services/Telephony/+/master/common/src/com/android/services/telephony/common/ICallCommandService.aidl
you can no TRY to control the https://android.googlesource.com/platform/packages/apps/InCallUI/+/master/src/com/android/incallui/CallHandlerService.java
WHAT IS ANDROID FORENSICS?
The use of science and technology to investigate and establish facts in criminal or civil courts of law. Deciding some disputes requires the use of physical evidence.
Motivation?
WHAT IS WRONG WITH THIS PICTURE?
Abel Yenukidze photo tampered
leaves a trace.Every contact
Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him.
All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment.
It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.
Dr. Edmund Locard (1877-1966)
ANDROID FORENSICS, EXTRACT DATA
CELLEBRITE UFED
• Standalone device • Can extract data from 1600+ devices • Covers Android devices • Built-in SIM reader and cloner • Can store output on SD, Flash or PC
enCase Forensics
• Software solution • Android, Blackberry, iOS and WinMobile • Device Settings • Contacts , Call logs • E-mail • Images • SMS/MMS • Calendars
Viaforensics ViaExtract
XWAYS
Micro Systemation XRY
THE NINJA WAY
Way to get access DATA on ANDROID
ACCESS to the DEVICE bypassing the Security lock.1
2
3
Physical data extraction !
Logical data extraction . Yummy.
1. ACCESS THE DEVICE USING SMUDGE ATTACK
1. ACCESS THE DEVICE USING SMUDGE ATTACK
Reboot to bootloader mode:
$ adb reboot bootloader
Using fastboot, load a different ROM (e.g. Clockwork recovery image) and remove the key file related to challenge.
$ adb shell$ su$ rm /data/system/gesture.key
Or in case of password or pin:
$ rm password.key
2. PHYSICAL DATA EXTRACTION
SOFTWARE + HARDWARE
3. LOGICAL DATA EXTRACTION
ADB1
2
3
SQLITE
CONTENT PROVIDERS
4 ANDROID BACKUP SINCE 4.0
$ mount.../dev/block/mtd7lock /system ext3
Check if the command dd is available if not install the BusyBox toolset. As alternative you can use dc3dd or nanddump available on https://github.com/jakev/android-binaries
$ dd if=/dev/block/mtd7lock of=/sdcard/mtd7lock.imgdd
$ adb pull /sdcard/mtd7lock.imgdd mtd7lock.imgdd
$ od -x mtd7lock.imgdd
$ strings mtd7lock.imgdd | grep <your own patterns goes here>
3. LOGICAL DATA EXTRACTION
Get all the APK-s from the system:
$ adb shell$ su# cd /data/app# tar -cvf /sdcard/all-apps.tar /data/app/*apk# gzip all-apps.tar all-apps.tar.gz$ adb pull /sdcard/all-apps.tar.gz ./$ tar -xvf all-apps.tar ./*apk
3. LOGICAL DATA EXTRACTION
Snoop the databases in the system:
$ find data -name "*.db" –print /data/data/data/data/com.google.android.browser/app_appcache/ApplicationCache.dbdata/data/com.google.android.browser/app_databases/Databases.dbdata/data/com.google.android.browser/app_geolocation/CachedGeoposition.dbdata/data/com.android.providers.calendar/databases/calendar.dbdata/data/com.android.providers.contacts/databases/profile.dbdata/data/com.android.providers.contacts/databases/contacts2.dbdata/data/com.android.providers.downloads/databases/downloads.dbdata/data/com.google.android.email/databases/EmailProvider.dbdata/data/com.google.android.gm/databases/internal.mometan@gmail.com.dbdata/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.dbdata/data/com.google.android.gm/databases/webviewCookiesChromium.dbdata/data/com.google.android.music/databases/music.dbdata/data/com.android.providers.telephony/databases/telephony.dbdata/data/com.android.providers.telephony/databases/mmssms.dbdata/system/accounts.db
3. LOGICAL DATA EXTRACTION
Snoop further:
# sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db
Sqlite> .schema accountsCREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);!sqlite> select * from accounts;||marius@gmail.com|
sqlite> select * from data;!8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/marius%40gmail.com/59w25d6cef09539135|||0!8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10!
3. LOGICAL DATA EXTRACTION
Snoop SMS-s:
sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db
Sqlite> .mode columnsqlite> .header on
sqlite> select address, date, body from sms;
address date body ------------ ------------- -----------------------------------------------------!+411113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ...3410498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-) !+41310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon? !3410498xxxx 1336720272373 Laguna is good. See you at 5:30.
3. LOGICAL DATA EXTRACTION
adb logcat -v time -b radio -d
dmesg - kernel mesages
adb shell getprop - information about the device properties
3. LOGICAL DATA EXTRACTION - LOGCAT
3. LOGICAL DATA EXTRACTION - CONTENT PROVIDERS
#backup all content of an appadb backup com.whatsapp - f whatsapp_backup.ab
#backup everything adb backup -apk -noshared -all -f Backup_06_04_2015.ab
#confirm on the device screen the backup
#extract data from the .ab file
dd if=whatsapp_backup.ab bs=24 skip=1 | openssl zlib -d > whatsapp.tartar xvf whatsapp.tar
3. LOGICAL DATA EXTRACTION - BACKUP
#reboot the bootloaderadb reboot bootloader
#flash the customfastboot boot [recovery-name].img
Turn on USB debugging and remove the gesture.key/password.key
Make a dd copy of the partition
Analyze the partitions using the tools like: The Sleuth Kit (TSK) - http://www.sleuthkit.org/sleuthkit/ or Oxygen Suite - http://www.oxygen-forensic.com
3. LOGICAL DATA EXTRACTION - CUSTOM RECOVERY
HOW TO SNOOP INSIDE OF AN ANDROID APP ?
$ APKTool D BANK.Apk1
2
3
4
$ Jar xvf BANK.apk classes.dex
$ dex2jar.sh classes.dex
> OPEN JD-GUI
5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc
ANDROID ANTI-FORENSICS
Physical destruction1
2
3
OVERWRITING DATA ON YOUR DEVICE
Cryptography or steganography
ANDROID ANTI-FORENSICS
Your safer code ART
Protect the resources
Your code ART
Protect the preferences
SECURITY & CODE guidelines
PROTECT THE APP
Protect the database
SERIOUS PAINTING SKILLS WITH sensitive dataGUIDELINES PROTECT
Encrypt your binaryBu huhu MAGIC via DEXGUARD
PROTECT YOUR OWN ANDROID APP ?
MORE ON ANDROID FORENSICS
Interested in MOre ?
http://stackoverflow.com/questions/28007421/android-image-extraction-from-cache https://github.com/AFFT-520/Android-Free-Forensic-Toolkit https://github.com/soarlab/maline http://freeandroidforensics.blogspot.de/ http://resources.infosecinstitute.com/getting-started-android-forensics/ https://andriller.com/