All posts by Heather Mahalik

Practical Mobile Forensics eBook 50% Off!

PMF50 smarter forensics

Back by request, here is another coupon code offering 50% off the eBook of Practical Mobile Forensics. This code is only valid until October 2nd and is for the eBook directly from our publisher’s site.

To order, click the link below and enter the Discount code prior to checkout.

Unique link: http://bit.ly/1Qvf018

Discount code: PMF50

We hope this book helps you get the most bang for your buck in mobile forensics. We aimed to include as many open source solutions as possible to conduct mobile device forensics.

Happy Reading!

LE Discount for SANS Courses

All,

I know that training is expensive. Here is a way to attend FOR585 for half the price! Next up:

Tysons Corner, VA

Prague (Cindy Murphy)

Ft. Lauderdale

SANS has a standing Local LE Only discount program for a limited number of seats per class at 50% off.

All SANS DFIR training listed on this site qualify: http://digital-forensics.sans.org/training/courses (I recommend FOR585 Advanced Smartphone Forensics)
Local and state programs are the only ones allowed to apply for the discount.  The nutshell details are that you must be a badge carrier currently.  No retirees or support staff unfortunately at this time.
If you are interested in the program — sometimes calling SANS our customer service folks forget about the program.  But cc’ed on this email is the program lead, Henri Van Goethem.  Henri and I worked in Air Force OSI together back in the day and knows how much this program is needed.   Henri’s email is hvangoethem@sans.org if you would like to get exact details on the program and to apply.
Henri generally responds to all requests within a week or so.  If you are trying to attend training last minute – please cc myself on it and I can ensure it will get seen with enough time to sign up for the course.

What’s your biggest hurdle in smartphone forensics?

Hey everyone,

Figured I would do a quick blog to see what your greatest issues are when dealing with the smartphones in your investigations:

– Locked devices? If so, which ones?

-Encryption (device level or application level)?

-Parsing the plethora of 3rd party apps found on devices?

Let me know your thoughts. Looking into my next research area and thought I would question the community first to see what is needed.

Have a great afternoon!

What are your forensic tools really good at?

Happy Saturday everyone! Several of my SANS FOR585 students have asked me to document my opinions on what tools I like and how I find them to be helpful. Again, I am not including every single tool out there or highlighting all of their capabilities, so if one is missing that you find useful, please post in the comments. This is simply a quick blog to highlight what has helped me in the past 6+ months.

I am not going to dive too deep into acquisition. There are so many tools and methods available that most people can figure out a way to get the data. I recommend you always get a physical dump and logical or backup to help you parse the data. Pick your poison on obtaining the data (Cellebrite, MSAB, Lantern, Blacklight, ViaExtract, flasher boxes…. it goes on and on). Each tool has their pros and cons and it’s a bad idea to only have one tool in your toolbox. Smartphones are beasts and security is getting stronger. Make sure you test your tools and test them often. Don’t let one hurdle knock you down. Try to trick your tool into working for you if needed.

I think the easiest way to write this blog is to include highlights and then touch on them. What is your tool really good for based upon my experience:

Commercial Solutions (Not in any particular order):

  • IEF Mobile – Great for Internet evidence and parsing 3rd party application data. One of the best iOS app parsers out there.
  • Physical Analyzer – Probably the best analytical platform out there specific to smartphone tools. It doesn’t parse everything, but it gives us a platform for analysis where we can make it find the evidence with some manual carving and hex searches.  Best physical search feature for locating data in raw hex.
  • MSAB XRY/XACT – One of the only tools that provides access to the raw files during a logical acquisition. Guess what, to recover data that the tools don’t parse you need the raw files. This tool give you access to them!
  • Lantern – Great Facebook app support. Seems to parse more data than the others on specific iOS devices.
  • Blacklight – Great tool that can run on a Mac! Great support for iOS devices. Haven’t you heard that you should examine a Mac with a Mac? A wise examiner once told me that and it still resonates with me.
  • Mobilyze – Best triage tool for iOS and Android.
  • MPE+ – The SQLite builder is a great feature when manually examining databases from 3rd party apps.
  • Oxygen – The best tool for BlackBerry. Acquires the event log and provides a secure way to create a BB backup file. Also counts out all those nasty little databases for you. I also like how Oxygen parses 3rd Party Apps.

Open Source and Other Solutions (Not in any particular order):

  • Andriller – This is one of my new favorites. This tool can crack passcodes and provides parsers for iOS, Android and Windows 3rd Party Application files. Free for LE and well worth it for everyone else. The fee is small the results are huge! https://andriller.com/
  • Now Secure CE (used to be ViaExtract CE) – Andrew Hoog was kind to release this awesome tool. It provides acquisition support for free! Parsers are pretty kick-ass too. Check it out. https://www.nowsecure.com/forensics/community/
  • Sanderson Forensics tools – Great SQLite support! The SQLite Forensic Toolkit is so useful in recovering deleted data and for converting those pesky timestamps. http://www.sandersonforensics.com/forum/content.php
  • Parsers developed by the community. Mari DeGrazia (http://az4n6.blogspot.com/)and Adrian Leong (http://cheeky4n6monkey.blogspot.com/) are rockstars and often give back by developing scripts to help us sift through application and smartphone data. Check out their blogs to see what has been helping us sift through the massive amounts of data.
  • Autopsy – The Android Analyzer module supports parsing commonly missed items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. http://sleuthkit.org/autopsy/

I am sure I have forgotten to give credit to some where it’s due, so I am requesting that you help me out. What tools really help you and how? Is there one that is strong with Base64 decoding? What about the double Base64? Don’t know what that means??? Take FOR585 and Cindy Murphy and I will teach you.  If you need more references on how to use the tools and the open source/free solutions, read the following books:

Practical Mobile Forensics

Learning Android Forensics

Learning iOS Forensics

Good luck and keep digging in that Hex! The data is there and it’s your job to find it.

Has the smartphone finally outsmarted us?

I originally posted this on the SANS blog, but figured I would share below as well. Special thanks to Cindy Murphy, Adrian Leong, Maggie Gaffney, Shafik Punja, JoAnne Gibb, Brian McGarry and the Cellebrite developers who worked tirelessly on the WP8 device discussed in this blog!

Has the smartphone finally outsmarted us?

I can honestly say that the most common question I am asked by examiners, investigators, students and even my neighbors is, “which phone is the most secure?” Obviously, the concern behind the question varies. Some want to secure their own device, and others, like myself, want to prove everyone in DFIR wrong by cracking into the toughest and most secure devices.

Smartphone security has gotten drastically stronger in 2014. This year, we are expecting even more challenges when examining smartphones. When thinking about the forensic aspects of smartphone security and encryption, we have to consider two things:

  1. How are we going to get access to the data?
  2. Even if we get a dump of the device, can we decrypt and examine the data?
  3. What happens if I can access the data, but the application data is encrypted?

Let’s look at a few devices to consider our options. First, Windows Phone 8 (WP8) brought us new issues that commercial forensic kits could not fully support. The good news is that these devices only comprise approximately 2.5% of the smartphone market. The bad news – criminals still use them! My co-author for FOR585, Cindy Murphy, worked with others in DFIR to get over this hurdle when it really mattered. A criminal investigation forced Cindy into action when she realized the critical part of the crime was a Nokia 520 running WP8. Cindy essentially formed a “team” to divide and conquer on this WP8 device. They successfully obtained a JTAG image of the device and manually parsed the data. FYI, if you haven’t looked at a smartphone dump in awhile, it’s no longer just a few files you need to sift through like legacy mobile device images. You are now looking at a small hard drive of evidence needing to be manually parsed. This task alone could take a lot of patience and a really long time.

What makes WP8 devices so secure compared to the others? WP8 devices brought change that we, smartphone examiners, haven’t faced in the past. This is the first OS introduced into the smartphone community that utilized BitLocker technology to support data encryption on the device with AES 128, which utilizes a Trust Platform Module (TPM) to protect the encryption key once the data is secure. These two factors have caused heartache for us smartphone examiners who have one of these devices appear in our evidence lineup. Fortunately, Cindy and her “team” were able to obtain a physical image, bypass the encryption and parse the relevant evidence to support her criminal investigation. Their work can be found here: http://dfir.to/Win8Phone-Forensics If you haven’t read this paper, you should!

Cindy and her “team” worked directly with Cellebrite developers to provide a recent release supporting the Nokia 520 and similar WP8 devices, thus making your life easier.   In FOR585 we stress the importance on understanding how the data is stored and parsed by your tool. One tool cannot uncover and decode all data on a smartphone. It’s your job to learn the file system structures, data formats, encoding schemas and all of the other fun bit of smartphone forensics. Additionally, in Cindy’s case, one single tool did not parse or interpret all of the data from this device. The smartphone forensic tools could not handle the data dump. You will find this is true for some smartphones, so you need to understand all concepts of smartphone data. Your toolbox must contain both smartphone forensic tools as well as standard DFIR tools (yes, the same ones your learned about in FOR408 and FOR572).

Here are some cheat sheet locations where evidence on the WP8 resides (for more details on how to manually parse the data, please refer to the referenced paper, above):

SMS and Contacts:

Users\WPCOMMSERVICES\APPDATA\Local\Unistore\store.vol

MMS:

SharedData\Comms\Unistore\Data

Call Logs:

Users\WPCOMMSERVICES\APPDATA\Local\UserData\phone

Internet History and Cookies:

Users\DefApps\APPDATA\INTERNETEXPLORER\INetCahe\.

Multimedia Files:

Users\Public\Pictures\CamerRoll\.

Application data and other traces of user activity were located on this device and required manual examination, custom Python scripts and intensive reconfiguration of raw data. Keep in mind that all 3rd party applications are different, store data with different obfuscation levels and require manual parsing (aka, don’t trust your tool – be smarter than it and validate your findings).

Now let’s consider the other devices that are trying to outsmart us. BlackBerry has always been secure. Pre-paid phones have locked data ports and knock-off devices are counterfeit, so support is inconsistent. iOS devices containing the A5-A8 chips are difficult if they are locked. There are methods for bypassing the lock, such as using the host computer Lockdown files as well as attempting to crack the PIN with the IP-BOX. If the user doesn’t back up their iOS device with a computer and uses a complex passcode… let’s just say you may not be getting access to that device, unless of course it’s jailbroken and not 64-bit. So may considerations, right?

Then there is Android Lollipop, which introduced the first default full disk encryption for this OS. How this will change our methods is TBD. I suggest you sign up for a FOR585 class to see how these devices can be accessed when you seem to have been outsmarted.

When considering which SANS course to take next, consider this – smartphone operating systems contain file systems similar to those discussed in FOR408 and FOR518, but need to be handled in a unique way. What about network traffic on smartphones? Here’s something to consider that you may have learned in FOR572 that should lead you to take FOR585 next.

“This class is critical for any forensicator in 2015,” said Phil Hagen, SANS Certified Instructor and course lead for FOR572, Advanced Network Forensics and Analysis.  “One thing we focus on from the network side is to hunt for adversaries in an environment and identify which endpoints require detailed examination.  When those are workstations or servers, the analysis path is very well-established.  However, if that endpoint is a modern mobile device, a forensicator must have the skills necessary to perform a comprehensive examination.  With ’smart’ mobile devices, the techniques are often vastly different than those required for traditional computing devices.”

References:

[1] http://dfir.to/Win8Phone-Forensics

[2] Practical Mobile Forensics

Heather Mahalik serves as a PM and leads the forensic effort for Oceans Edge, Inc. She has spent over twelve years conducing computer crime investigations ranging counter-intelligence to high profile criminal investigations. She is a Certified Instructor, course lead and co-author of FOR585 Advanced Smartphone Forensics and co-author of FOR518 Mac Forensic Analysis at the SANS Institute. Heather is co-author of Practical Mobile Forensics, by Packt Publishing. Find her on Twitter @HeatherMahalik and on her personal website/blog smarterforensics.com.

Upcoming courses of FOR585 Advanced Smartphone Forensics

Good morning everyone! I try to keep the calendar on this website updated with links to register for events where I will be teaching and speaking. I am still determining my conferences for the year, but here are my planned SANS FOR585 Advanced Smartphone Forensics Courses for 2015 (so far…let’s be honest, they always end up adding more).  The entire schedule can be viewed here. Keep in mind not all courses are posted. If you want to do FOR585 on your own, look into OnDemand.

Heather Mahalik will be teaching the following courses:

March 9-14 – Reston, VA – FOR585 Advanced Smartphone Forensics (New labs being released!!!)

May 5 – 10 – San Diego, CA (Who doesn’t want to go to sunny San Diego?)

June 15-20 – SANSFIRE Baltimore, MD (Right at the baseball stadium!)

August 11 – Sept 17 – vLive (online, in your house, in your jammies training)

September 14-19 – NS 2015 Las Vegas, NV (What happens in Vegas stays in Vegas..but not what you learn in FOR585!)

November 3-8 – Ft. Lauderdale (Again, it will be freezing in most places, warm up with me!)

Cindy Murphy will be teaching the following courses:

April 11 – 18 – SANS 2015 Orlando, Fl (Bring your family to Disney!)

May 11 – 16 Amsterdam, Netherlands (Taking FOR585 overseas!)

Boston and Prague – dates to be announced!

I hope to see you in a course in 2015. We are working on a certification and you can help by attending the course. Once you have taken the course, you can take the cert when it’s released.  There are a lot of smartphone courses out there and I believe that trying to replicate FOR585 is the best form of flattery. However, the real thing is the best! Come to the class and see for yourself.

Want your own copy of Practical Mobile Forensics for $5?

Hey everyone,

It’s the Holidays, so why not treat yourself to a copy of Practical Mobile Forensics? You can get the eBook for $5 until January 6th directly from Packt!  This book was designed to help both new and experienced examiners capture and analyze data from mobile devices.  Our goal was to use Open Source solutions as much as possible.  Check out the book and happy forensicating!

The link to purchase the book for $5 is

Happy Holidays!

Heather

Locked iOS devices hindering your investigations?

Good morning everyone! I know it’s that crazy time of year with the Holidays right around the corner, but some of us are still working… unfortunate, right? Cindy Murphy, my co-author of FOR585 and good friend, took the time to write up her testing and research on the IP-BOX.  You can get your own IP-BOX from Teel Technology.  Check out their site: http://www.teeltech.com/

IP-BOX IP Box documentation 12-2014

In summary, the IP-BOX can be used to defeat simple 4 digit PINS on iOS devices.  This includes devices running iOS1 – iOS8.  While newer iOS device require additional steps, the good news is that this magical black box may work at bypassing that lock!

If this issue is of interest to you, I would sign up for the SANS FOR585 Advanced Smartphone Forensics course where we discuss the IP-BOX and other methods for dealing with locked smartphones.  Until then, please enjoy the paper that Detective Cindy Murphy tool the time to write.

IP Box documentation-rev1 by Cindy Murphy.

Happy Holidays!

DFIRCON East Smartphone Forensic Challenge Winner

 

DFIRCONeast_c_785x90

Due to the vast amount of responses we got for our Smartphone Forensic Challenge, the winner was just determined.  The rules states that the winner must answer 4 of the 6 questions correctly, and the lucky winner answered all 6 questions correctly.  Congratulations Shawna Denson, you are the lucky winner!!!!

Thank you to everyone who submitted. FOR585 Advanced Smartphone Forensics is currently being held onDemand, at Network Security 2014 (Las Vegas), and  DFIRCON East (Ft. Lauderdale).  Cindy Murphy and I hope to see you in the classroom soon!

Stay tuned for Webcasts featuring cutting edge material on iOS8, Windows Phone Forensics and more!

http://www.sans.org/course/advanced-smartphone-mobile-device-forensics

The answers for the Challenge are listed below.

  1. What third-party applications have been granted access to device camera photos?

Facebook and DropBox

  1. What third-party applications have been granted access to the device address book?

Waze

  1. Which websites that were visited had requested the iPhone’s geolocation information for optimal browsing and were granted access?

Simply Hired and StubHub

  1. What permissions does the application MysteryApp.apk NOT have on the device?
  2.    Record audio
  3.    Read contacts
  4.    Send sms
  5.    Record video
  6.    Mount  & unmount files
  1. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?

Either answer is acceptable:

SHA1 (value within file) = DDpyDrYdc24hVh6aqWBmpHcfD3A=

SHA 1 (value of entire file)= 0c3a720eb61d736e21561e9aa96066a4771f0f70

  1.  What foreign language word(s) are found within the MysteryApp.apk application?

未接来 – Missed Calls