Upload File

smarter forensics | it's time to get smarter! - phoning it in ......•the user will receive a...

  • Home
  • Documents
  • Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not
33
Phoning it in: Heather talks about Smartphone Forensics Heather Mahalik Copyright @2018 Heather Mahalik, All Rights Reserved

Upload: others

Post on 17-Oct-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Phoningitin:HeathertalksaboutSmartphoneForensics

HeatherMahalikCopyright@2018HeatherMahalik,AllRightsReserved

Page 2: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Aboutme…

• Director,ForensicEng.atManTechCARD• SANSSeniorInstructor• InvolvedwithInfoSec/Forensicsfor16years• Co-authorofFOR585• InstructorofFOR585andFOR500• Co-AuthorofPracticalMobileForensics(1st and2ndEditions)

• Momandawife• Dog,horse,wineandbourbonloverJ

Copyright@2018HeatherMahalik,AllRightsReserved

Page 3: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not
Page 4: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

What’shappeninginsmartphonesecurity

• Fulldiskencryptionreadilyavailable– Morepeopleareusingit– Somedevicesrequireit&othersdon’task– Hurtsacquisition?

• Applicationsecurity– Howsecureisit?

• Toolsarefailingus• Cloudisstealingallthegoodstuff!!!

Copyright@2018HeatherMahalik,AllRightsReserved

Page 5: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Whatdoesthismean?

• Thestateofeverymobiledevicemayvary• Youneedtobepreparedforallsituations• Youwillneedmorethanonetool• Youwillneedtheskillstomanuallycarveforforensicartifacts

• Youmaybe100%blockedfromthedata

Copyright@2018HeatherMahalik,AllRightsReserved

Page 6: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Whatshouldyoudoaboutit

• Considertheissue– Encryption,locks,lackofparsingsupport…

• Considertoolsavailabletoyou– Commercial,opensourceandscripts

• Determineanactionplan• Makesureyouractionsdonotdestroyyourevidence!!!

Copyright@2018HeatherMahalik,AllRightsReserved

Page 7: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Acquisition

Copyright@2015HeatherMahalik,AllRightsReserved

Page 8: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Application“Protection”

EncodingSchemes

ASCII

Unicode

UTF-8

Base64

EncryptionAlgorithms

AES

Blowfish

Twofish

Serpent

Transforming/converting data into code

Copyright@2018HeatherMahalik,AllRightsReserved

Page 9: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Example:CyberDust(1)• Olderversionsclaimtoremovealluserdataupontransmission/receipt– Nevertrustclaimsoryourtool– ReviewAppfilesforuseractivity

Copyright@2018HeatherMahalik,AllRightsReserved

Page 10: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Example:CyberDust(2)

• MessagesareencodedtwiceusingBase64

Copyright@2018HeatherMahalik,AllRightsReserved

Page 11: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Example:Telegram(1)

Copyright@2018HeatherMahalik,AllRightsReserved

Page 12: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Example:Telegram(2)

Copyright@2018HeatherMahalik,AllRightsReserved

Page 13: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Willyourtoolcatchyouwhenyoufall?

• Willyoubeabletodefendtheevidence?

• Canyoufindthedata?• Whatifthetoolscontradictoneanother?

• Understandtheartifacts• Don’tknowjustenoughtobedangerous

Copyright@2018HeatherMahalik,AllRightsReserved

Page 14: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Whythetoolsfail…

• Thereissomuchdata• Toomanyapplications• OSupdates• Knowingwheretofindthisinformationisthehardestpart

• Knowinghowtheartifactwascreatediskey!

Copyright@2018HeatherMahalik,AllRightsReserved

Page 15: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Example:CallLogs(1)MagnetIEF/AXIOM

UFEDPhysicalAnalyzer

CallLogsLibrary/CallHistory/call_history.dbLibrary/CallHistory/callhistory.storedata (iOS 8,9&10)

Copyright@2018HeatherMahalik,AllRightsReserved

Page 16: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Example:CallLogs(2)Calllogs

iOS7

iOS8-11

Copyright@2018HeatherMahalik,AllRightsReserved

Page 17: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Wait…myphonewaswhere?

• Socialmediageo-tagging– Facebook– Google+– Twitter– Etc.

• Considerwhattracesareleftbehindwhentheuser“checks-in”andtagsalocation

Copyright@2018HeatherMahalik,AllRightsReserved

Page 18: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Butitwasreallyhere?• Diggingdeeperintotheapps

– Whataretheyreallydoing?

Copyright@2018HeatherMahalik,AllRightsReserved

Page 19: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

TheCloudshaveopened…

Copyright@2015HeatherMahalik,AllRightsReserved

Page 20: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

• Manytoolssupportcloudextraction

• Knowwhicheacharegoodatandselectaccordingly

• MultiplepullsmayforcetheusertoresettheirpasscodeforiCloud

20

CloudExtractionTechniques

Page 21: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

21

ElcomsoftCloudeXplorer

Page 22: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

•TheuserwillreceiveanotificationstatingthatanewdevicesignedintotheirGoogleaccount**Thisisnotrecommendedifyouareconductingcovertoperationsasyouhavetoassumetheuserwillknowyouwerethere!

22

Warning:TheUserWillBeAlerted!

Page 23: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

23

ElcomsoftCloudeXplorer – NOTjustforAndroid

Page 24: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

24

GoogleCloudArtifacts

Page 25: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

AccessingiCloudData(1)

25

Page 26: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

AccessingiCloudBackupData(2)

26

Page 27: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

27

Reality:AppleMaps

Page 28: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

Don’tfeartheunknown

• Createyourowntestdata– Iwishwecoulddoitallforyou,butIrunoutoftime

• Keepdiggingwhentheresultsdon’tmakesense

• Taketrainingtolearnthepropermethods

Copyright@2018HeatherMahalik,AllRightsReserved

Page 29: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

About585…• Courselaunchedin2014• GASFCert– Vendorneutralavailabletoeveryone• Co-authoredbyHeatherMahalik,LeeCrognale andCindy

Murphy• Addressesthehardesttotackletopics(Encryption,Parsing,

Querydrafting,decompilingmalware,etc.)• CoversiOS,Android,3rd PartyApps,Malware,BlackBerry

10,WindowsPhoneandmore• Includes19hands-onlabs+1capstonechallengeof

currentsmartdevices(bonustakehomecase+6bonuslabs)

• IsvendorNEUTRAL– Weteachyouthebestmethods,nothowtousecommercialtools

Copyright@2018HeatherMahalik,AllRightsReserved

Page 30: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

• https://github.com/hmahalik• FOR585 Advanced Smartphone Forensics• https://github.com/threeplanetssoftware/sqlite_miner• mac4n6.com/blog• smarterforensics.com/blog

– First the Grinch Now the Easter Bunny– How the Grinch Stole Apple Maps– Smartphone Acquisition: Adapt, Adjust and Get

Smarter!

References, Sources and Suggested Reading

Page 31: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not
Page 32: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

FOR585AdvancedSmartphoneForensicsCourseAvailableAt:

FOR585.com/course

July:SANSFIRE,DC– Heather– SOLDOUT– SIMULCAST!August:NYC

Sept:LasVegas- SIMULCASTAvailableOct:Denver,CO

Nov:Miami,Austin&StockholmDec:DC&SaudiArabia- - SIMULCASTAvailable

OnDemand ANYTIME!

Page 33: Smarter Forensics | It's time to get SMARTER! - Phoning it in ......•The user will receive a notification stating that a new device signed into their Google account **This is not

QUESTIONS?

[email protected]@HeatherMahalikBlog:for585.com/blog

Copyright@2018HeatherMahalik,AllRightsReserved


phoning les techniques de prises de RDV

Phoning Home

Stating a problem (2)

Phoning in earthquakes in earthqu… · Phoning in earthquakes At 3:20 a.m. on August 24, 2014 — not quite a year ago — a strong earthquake rocked the northern California town

Smarter Home - Smarter Business - SmartCloud - IBM Smarter Business 2013

SPECIFICATIONS No remote control. No “phoning” the gate

Smarter Information, Smarter Consumers-1

Rewinding Sony: The Evolving Product, Phoning …picker.uchicago.edu/Papers/PickerSony.200.pdfRewinding Sony: The Evolving Product, Phoning Home and the Duty of Ongoing Design Randal

Simply Smarter Communications for Smarter Working

The Philippine Smarter Cities Initiative: Building Smarter Cities Towards a Smarter Philippines

Smarter Choices, Smarter Places

Smarter Data for Smarter Libraries

Oreo. Stating Your Opinion

Stating a Mysterious Figure

Smarter Phones Smarter Moves

OFERTAS SANTIAGO 02/06/16 PHONINGOFERTAS PHONING Ofertas válidas sólo el día del Phoning y en este distribuidor. Precios SIN impuestos ni tasas. SANTIAGO 02/06/16 DIAMANTE x10 Por

Smarter solutions for at Smarter Planet

Rubbermaid Commercial Products smarter Smarter Sustainability

Smarter Cities/ Smarter Mobility - Northwestern University

SAP BI Stating Process

Work smarter. Live smarter. Play smarter. Fly smarter.€¦ · Real-time data = Smarter pilots. Let’s stay connected. With inflight Wi-Fi, everyone on board can fly smarter by having

GSMA Smarter Apps for Smarter Phones

Phoning FEMEGU 2015

Smarter City, Smarter Policy: Crowd Monitoring

Comp Stating Welfare

Smarter Software for Smarter Governments

Smarter Leadership for a Smarter Planet

SMARTER PLANNING SMARTER SPENDING

Smarter collaboration for Smarter planet

Smarter New Zealand through smarter energy

Smarter Buildings - 3Mmultimedia.3m.com/mws/media/765622O/smarter-smarter-buildings.p… · Ethernet and IP. Smarter&Smarter Buildings ... ing, ventilation, and air conditioning)

the Art of stating

Smarter CRM for smarter commerce (french)

IBM Smarter Storage for Smarter Computing

Outcomes (? stating the obvious)