© 2014, Basis Technology 1
Open Source Mobile Device Forensics
Heather Mahalik
© 2014, Basis Technology 2
iOS Devices • Zdziarski Methods • Boot Rom
Vulnerability Exploits – Custom Ramdisk via
SSH – The iPhone Data
Protection Tools • iTunes
Android Devices • viaLogical • ADB Backup • OSAF Toolkit • Santoku • DD
– Not supported for all devices
• JTAG/Chip-off
Device Acquisition
© 2014, Basis Technology 3
• How old is the device?
• Is the device locked? • Is the device
damaged? • Are you Law
Enforcement?
Considerations
© 2014, Basis Technology 4
• LiME (Linux Memory Extractor) – First tool to support full
memory captures of Android smartphones!
– TCP dump or saved to SD card
– Uses ADB
Android Memory Capture
© 2014, Basis Technology 5
iOS Devices • iPhone Backup Analyzer • iExplorer • iBackupBot • Scalpel • SQLite Browser • Plist Editor • WhatsApp Extract
– Contacts.sqlite and ChatStorage.sqlite
• Manual examination • Customized scripts
Android Devices • Autopsy
– Android Module • WhatsApp Extract
– wa.db and msgstore.db • Scalpel • SQLite Browser • Hex Editor • Anything capable of mounting
EXT • FTK Imager • Customized scripts • Manual examination
Analytical Tools…to Name a Few
© 2014, Basis Technology 6
• Commercial tools are expensive – They still miss data – They don’t parse third party applications
completely – They omit relevant databases when extracting
data – They don’t support all devices
• Open Source tools – See above!
Reality Check!
© 2014, Basis Technology 7
/private/var/mobile/library/Spotlight/com.apple.mobilesms/ – smssearchindex.sqlite
• Provides SMS message data – Active and deleted messages – Should be compared to sms.db – May show traces of attachments (metadata)
*Not commonly parsed by any tool!
Example – iOS Examination
© 2014, Basis Technology 8
• GUI built on The Sleuth Kit • Next version (v3.1.1) will include Android
module • Customizable • Complete analytical platform • Android dumps can be loaded as normal disk
images or file folders
Autopsy
© 2014, Basis Technology 9
Android Examination
© 2014, Basis Technology 10
• Parsed from Contacts2.db file – Raw_contacts and ABPerson
Examining Contacts
© 2014, Basis Technology 11
Examining the Raw Contacts (1)
© 2014, Basis Technology 12
Examining the Raw Contacts (2)
© 2014, Basis Technology 13
• Parses messages and chats from SMS, MMS and some third party applications
Parsing Messages and Chats
© 2014, Basis Technology 14
• Encryption vs. Encoding • Base64 decoder built into Autopsy Android
module
Encoding Built into Autopsy
© 2014, Basis Technology 15
• Google Maps, Browser, Cache and EXIF location parsing
Geolocation Support
© 2014, Basis Technology 16
Geolocation Reporting
© 2014, Basis Technology 17
• EXIF Parser
• Graphics and Videos
Examining Multimedia Files
© 2014, Basis Technology 18
• Active files shown in viewer
• Deleted must be examined/recovered in Hex
Recovering Deleted SQLite Data
© 2014, Basis Technology 19
• Mari DeGrazia’s SQLite Parser
Custom Scripts
© 2014, Basis Technology 20
• http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf
• www.az4n6.blogspot.com • https://viaforensics.com/blog/ • http://www.sleuthkit.org/ • Practical Mobile Forensics –Bommisetty,
Mahalik, Tamma • www.smarterforensics.com • https://code.google.com/p/lime-forensics/
References, Sources and Suggested Reading
© 2014, Basis Technology 21
Heather Mahalik Basis Technology
www.basistech.com [email protected] Twitter: @heathermahalik
Questions