BYOM Build Your Own Methodology (in Mobile Forensics)SANS DFIR EU SUMMIT1ST OCTOBER 2018
MOBILE FORENSICS CHALLENGES
Market fragmentation New devices New OS
Passcode/Pattern Lock/Touch/Face
ID
Millions of applications… Gigabytes of data Data stored on
the Cloud …
BYOM (BUILD YOUR OWN METHODOLOGY)
Needs•Knowledge•People•Tools
Workflow
Case history Standardization (?)
NEEDSKNOWLEDGE
Mobile OS
Architecture (Android and iOS)
Versions
Security
Rooting/Jailbreaking
Encryption
Partitions layout
Cloud
File system(s)
EXT4
HFS+
APFS
FAT/exFAT
F2FS
JFFS2/YAFFS2
File format
SQLite
Plist
XML
Encoding
Programming
SQL
Scripting
ForensicAcquisition Methods
Manual
Logical
Backup
File System
Physical
Cloud
NEEDSCOMMERCIAL TOOLS
Mobile Forensics Toolkit
Blackbag
Cellebrite
Elcomsoft
Guidance
Magnet Forensics
Mobile Forensics Toolkit
MicroSystemation
MobilEdit
Oxygen Forensics
Paraben
SecureView
Specializedtools
Andriller
Belkasoft
Sanderson Forensic
iPhone Backup Extractor
USIM Detective
NEEDSOPEN/FREE/SHAREWARE TOOLS
Android
•AFLogical OS Edition•Android Developer Toolkit•Autopsy•CF-Auto-Root•Droid Explorer•Mobile Investigation Forensics
Report Maker•Santoku•Smart Phone Flash Tools•SuperSU•TWRP
iOS
•iBackupBot•iExplorer•iFunBox•Inflatable Donkey•iLoot•iMazing•iOS Backup Examiner•iTools•iTunes•iMobileDevice•Libimobiledevice•pList Editor
Others
•WPInternals•BlackBerry Link•BlackBerry Desktop
Software•Nokia Suite•NBU Explorer•Stune•Tulp2G•BitPim
Apps
•DB Browser for SQLite•SQLite Studio•SQLite Spy•SQLite Miner•SQLite Deleted
Records Parser•Whapa•WhatsApp Viewer•Guasap•Cheeky4n6monkey•DADB (Samsung DB
Viewer)
NEEDSHARDWARE
FlasherBoxes
Octoplus Pro Box
Z3X Box
Furious Gold
ORT Box
ATF Box
FlasherBoxesMedusa Pro
Chimera Tool
NCK Dongle
UFS Turbo Box
Miracle Box
UnlockingTools
XPIN Clip
MFC Dongle
BST Dongle
Others
Farady Bags
VR-Table
Coded
WORKFLOWhttps://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf
BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION, PRESERVATION AND ACQUISTION (DRAFT 30TH JULY 2018)https://www.swgde.org/
INTAKE/QUESTIONSWhen was the device seized?
External physical state? (Ok/Broken/Damaged/Destroyed)
Is it turned on or off?
(If it is on) Is it disconnected from external networks?
(If it is on) Is it protected with a passcode/pattern lock?
Did the user/suspect provided any code?
Does it contain SIM Card(s)?
INTAKE/QUESTIONS
Which data do you need to extract?
EVERYTHING is not an accepted answer!! J
Some possible options:
• A specific SMS• A specific WhatsApp chat• A picture or a video• A specific email• As much as possible…
UNDERSTANDING WHAT YOU NEED IS AN ESSENTIAL STEP TO DETERMINE THE BEST ACQUISITION METHOD!
IDENTIFICATIONFirst step: what type of device do I have?
Some methods to identify devices• IMEI• Model number• Serial number
Where/how to find the IMEI number?• Packaging box• Rear of the device• Under the battery• In the SIM card tray• *#06#• Android Settings -> About Phone -> Status -> IMEI Information• iPhone Settings -> General -> IMEI
IDENTIFICATION
Check device information http://www.imei.info/
http://phonedb.net/
http://www.imeipro.info/
Check device warranty status
Samsunghttps://support-
ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo
Applehttps://checkcoverage.apple.com/
Huaweihttps://consumer.huawei.com/us/support/warranty-query/
Oppohttps://oppo-au.custhelp.com/app/products/warranty_status
Xiaomihttps://www.mi.com/en/verify/#/en/tab/imei
Lenovo/Motorolahttps://support.lenovo.com/warrantylookup
IDENTIFICATION (IMEI.INFO)
ACQUISITION METHODSLOGICAL
u LOGICALSimple and fast
Good for a preview/quick look
Typically it requires the passcode/pattern lock
Typically it requires the installation of an agent
Typically doesn’t recover deleted data
Android•Call Log, SMS, Contacts, Pictures, Videos, Audios•NO Third Party App
(WA, FB, TW, ecc)
Device backup features
MTP/AFC protocols
Vulnerability for specific hardware/software
Rooting/Jailbreaking
Custom Recoveries
Can be partial or full
Typically it requires the passcode/pattern lockTypically it allows recovering deleted data stored in other files(es. deleted record in SQLite databases)
ACQUISITION METHODSFILE SYSTEM
Vulnerability for specific hardware/software
Rooting/JailbreakingCustom RecoveriesEngineering BootloadersFlasher BoxesJTAG/ISP/Chip-OffIt generates a traditional bitstream imageTypically it allows to recover
• deleted data stored in other files (es. deleted record in SQLite databases) • Deleted files (unless…FDE/FBE) (e.g. iOS / Oreo)
ACQUISITION METHODSPHYSICAL
PREPARATIONDEFINE THE EXTRACTION METHODCheck your «Case History» [NEXT SLIDE]
Check what was requested during the intake• If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything?
Check support by your Mobile Forensics Toolkit(s)
Ask the community
Check for custom recoveries/engineering bootloader/flasher boxes
Verify support by specific external services
Identify specific vulnerabilities
A physical approach is feasible?
Think outside the box…• Cloud• Local backup• Provider requests• Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
CASE HISTORY
Start building it ASAP!
Learn from your experience and errors•When•Device brand and model•Device chipset brand and model•Used tool / tecnhique•Obtained acquisition•Lock bypass (yes/no)•Encryption (yes/no)•Person•Result•Notes
CHECK SUPPORT BY TOOLShttps://www.digitalforensiccompass.com/
ASK THE COMMUNITY!
XDA Developers
Google Groups• FOR585 Alumni• Mobile Device Forensics and Analysis• TeelTech Forensic ToolBox Group
Digital Forensics Discord Group
GRAYSHIFTCredits: Malwarebytes.com
CAS (CELLEBRITE ADVANCED SERVICES)https://www.cellebrite.com/en/cas-sales-inquiry/
JTAGCredits: Heather Mahalik
ISP (In-System Programming)Credits: TeelTech
CHIP OFFCredits: GILLWARE.COM
Some (lucky) cases of last years
Wiko Fever
Samsung SM-J500FN
Huawei EVA-L09
Samsung SM-G355M
Samsung SM-J320FN
Samsung SM-T560
Apple iPhone 8
OnePlus 3T
Samsung SM-G355H
Samsung J510FN
WIKO FEVERlocked with unknown passcode
SAMSUNG SM-J500FNlocked with unknown passcodehttps://media.cellebrite.com/wp-content/uploads/2017/12/qualcomm-edl-physical-extractions-guide.pdf
Interesting feature of Qualcomm chipset
On many boot failures the chipset will unavoidably default into EDL mode (to
allow repair)Opportunity to intentionally introduce faults
into the boot process and trigger EDL, gaining a physical extraction
HUAWEI EVA-L09locked with unknown passcode
SAMSUNG SM-G355Mlocked with unknown passcodeCredits – Salvatore Mesoraca - https://github.com/smeso/MTPwn
PoC exploit for a vulnerability of Samsung's Android phones
It allows an attacker to access phone storages via USB, bypassing lock screen and/or Charge only mode.
MTPwn can be easily modified to download or delete any file, to create and delete folders and to do many other things
SAMSUNG SM-J320FNwithout passcode
SAMSUNG SM-T560without passcode
APPLE iPHONE 8known code, but with backup password
ONEPLUS 3Twithout passcode code
SAMSUNG SM-G355Hlocked with unknown code
SAMSUNG SM-J510FN?
SAMSUNG SM-J510FN?
SAMSUNG SM-G3815FAILURE L
BRIONVEGA N7010
ANALYSISParsing with different tools has pros and cons J
Pros• Different support for different OS/Apps• Verifying the results
Cons• Processing time• Duplication• Cost
Often you need to add manual parsing and investigation!• SQL queries• Parsing scripts
ANALYSIS
ANALYSIS
STANDARDIZATIONCASE Languagehttps://github.com/ucoProject/CASE
Cyber-investigation Analysis Standard Expression (CASE) is a community-developed specification language
It is intended to serve the needs of the broadest possible range of cyber-investigation domains, including digital forensic science
The primary motivation for CASE is interoperability - to advance the exchange of cyber-investigation information between tools and organizations.
DFIR FOR GENOAhttps://www.gofundme.com/dfir-for-genoa
CREDITS AND CONTACTS
@RN TeamMattia Epifani
Francesco PicassoClaudia Meda
Fabio Massimo Ceccarelli
Thanks to Pasquale Stirparo for input and review!
@mattiaep