Category Archives: Uncategorized

Upcoming courses of FOR585 Advanced Smartphone Forensics

Good morning everyone! I try to keep the calendar on this website updated with links to register for events where I will be teaching and speaking. I am still determining my conferences for the year, but here are my planned SANS FOR585 Advanced Smartphone Forensics Courses for 2015 (so far…let’s be honest, they always end up adding more).  The entire schedule can be viewed here. Keep in mind not all courses are posted. If you want to do FOR585 on your own, look into OnDemand.

Heather Mahalik will be teaching the following courses:

March 9-14 – Reston, VA – FOR585 Advanced Smartphone Forensics (New labs being released!!!)

May 5 – 10 – San Diego, CA (Who doesn’t want to go to sunny San Diego?)

June 15-20 – SANSFIRE Baltimore, MD (Right at the baseball stadium!)

August 11 – Sept 17 – vLive (online, in your house, in your jammies training)

September 14-19 – NS 2015 Las Vegas, NV (What happens in Vegas stays in Vegas..but not what you learn in FOR585!)

November 3-8 – Ft. Lauderdale (Again, it will be freezing in most places, warm up with me!)

Cindy Murphy will be teaching the following courses:

April 11 – 18 – SANS 2015 Orlando, Fl (Bring your family to Disney!)

May 11 – 16 Amsterdam, Netherlands (Taking FOR585 overseas!)

Boston and Prague – dates to be announced!

I hope to see you in a course in 2015. We are working on a certification and you can help by attending the course. Once you have taken the course, you can take the cert when it’s released.  There are a lot of smartphone courses out there and I believe that trying to replicate FOR585 is the best form of flattery. However, the real thing is the best! Come to the class and see for yourself.

Locked iOS devices hindering your investigations?

Good morning everyone! I know it’s that crazy time of year with the Holidays right around the corner, but some of us are still working… unfortunate, right? Cindy Murphy, my co-author of FOR585 and good friend, took the time to write up her testing and research on the IP-BOX.  You can get your own IP-BOX from Teel Technology.  Check out their site: http://www.teeltech.com/

IP-BOX IP Box documentation 12-2014

In summary, the IP-BOX can be used to defeat simple 4 digit PINS on iOS devices.  This includes devices running iOS1 – iOS8.  While newer iOS device require additional steps, the good news is that this magical black box may work at bypassing that lock!

If this issue is of interest to you, I would sign up for the SANS FOR585 Advanced Smartphone Forensics course where we discuss the IP-BOX and other methods for dealing with locked smartphones.  Until then, please enjoy the paper that Detective Cindy Murphy tool the time to write.

IP Box documentation-rev1 by Cindy Murphy.

Happy Holidays!

DFIRCON East Smartphone Forensic Challenge Winner

 

DFIRCONeast_c_785x90

Due to the vast amount of responses we got for our Smartphone Forensic Challenge, the winner was just determined.  The rules states that the winner must answer 4 of the 6 questions correctly, and the lucky winner answered all 6 questions correctly.  Congratulations Shawna Denson, you are the lucky winner!!!!

Thank you to everyone who submitted. FOR585 Advanced Smartphone Forensics is currently being held onDemand, at Network Security 2014 (Las Vegas), and  DFIRCON East (Ft. Lauderdale).  Cindy Murphy and I hope to see you in the classroom soon!

Stay tuned for Webcasts featuring cutting edge material on iOS8, Windows Phone Forensics and more!

http://www.sans.org/course/advanced-smartphone-mobile-device-forensics

The answers for the Challenge are listed below.

  1. What third-party applications have been granted access to device camera photos?

Facebook and DropBox

  1. What third-party applications have been granted access to the device address book?

Waze

  1. Which websites that were visited had requested the iPhone’s geolocation information for optimal browsing and were granted access?

Simply Hired and StubHub

  1. What permissions does the application MysteryApp.apk NOT have on the device?
  2.    Record audio
  3.    Read contacts
  4.    Send sms
  5.    Record video
  6.    Mount  & unmount files
  1. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?

Either answer is acceptable:

SHA1 (value within file) = DDpyDrYdc24hVh6aqWBmpHcfD3A=

SHA 1 (value of entire file)= 0c3a720eb61d736e21561e9aa96066a4771f0f70

  1.  What foreign language word(s) are found within the MysteryApp.apk application?

未接来 – Missed Calls

Winners of Practical Mobile Forensics

Hello everyone,

Today is the day and two winners have been selected! Just so you are aware, I printed each of your names and put them into a hat. Two names were pulled. Those winners are Ryan Pittman and Sherry Torres-Dor.

I want to thank everyone for the kind and encouraging comments. Your words motivate me to give back as much as I can and continue to learn. I hope to see you in FOR585, FOR518, at a conference or one of my talks soon.

Thanks for the support!

Heather

Practical Mobile Forensics Discount Code

Hi everyone,

If you are interested in ordering both the eBook and the printed copy, below are some discount codes for you. Also, if you already ordered one and want the other, refer to the codes below.


Book: fksh1tLR
eBook: 2bMQDpoS

Also, if customers order the book from our website (https://www.packtpub.com/application-development/practical-mobile-forensics) they can order the print and e-book together for the price of the print book ($59.99).

DFIRCON EAST Smartphone Forensics Challenge

DFIRCON EAST Smartphone Forensics Challenge: https://www.surveymonkey.com/s/Smartphone-Challenge

The smartphone dataset contains Malware and an iOS backup file. The goal is to highlight application data often missed by forensic tools. Your job? Find it.

The object of our challenge is simple: Download the smartphone dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on September 30th, 2014 and we will announce the winner by October 6th 2014. Good luck!

Win a free DFIR OnDemand course by downloading the smartphone dataset and answering the following questions.

DOWNLOAD LINK FOR SMARTPHONE IMAGE: http://dfir.to/SmartPhoneChallengeZip14

To successfully submit for the contest. All answers must be attempted. Please include your name and email address.

The winner will be able to choose from the below DFIR OnDemand courses:

SEC504: Hacker Techniques, Exploits & Incident Handling
FOR408: Computer Forensic Investigations – Windows In-Depth
FOR508: Advanced Computer Forensic Analysis and Incident Response
FOR526: Memory Forensics In-Depth
FOR572: Advanced Network Forensics and Analysis
FOR585: Advanced Smartphone Forensics
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

SANS OnDemand:
SANS OnDemand is the world’s leading comprehensive online training for information security professionals. OnDemand offers more than 25 SANS courses whenever and wherever you want from your computer (Windows, Mac, and Linux), iPad or Android tablet. OnDemand allows you to learn at your own pace, spend extra time on complex principles, reinforce concepts with quizzes, and repeat lab exercises – all of which increases your retention of the course material.

Your course enrollment gives you printed course books, CD/DVDs/Toolkits for hands-on exercises (as applicable), four months of online access to our OnDemand e-learning platform featuring a top SANS instructor presenting the material, quizzes, and synchronized video demonstrations/interactive labs (as applicable).

The Smartphone Challenge is sponsored by DFIRCON East. To learn more about DFIRCON East, please visit http://www.sans.org/event/dfircon-east-2014

Rules:
1. Entry: Each participant may respond only once for the challenge. Contest begins on Monday, July 21st, 2014 and ends Tuesday, September 30th, 2014. Responses must be submitted by 9pm EST on September 30th.

2. Prize: Each person that correctly answers at least 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen by October 6th, 2014 and will be notified by email.

Questions regarding the challenge? Please send to DFIR-Challenge “at” sans.org. (DFIR-Challenge@sans.org ).

NIST Mobile Device Forensics Workshop

If you missed the NIST Mobile Device Forensics Workshop a few weeks ago, you can find the presentations here: http://www.nist.gov/forensics/mobile_forensics2.cfm.

Make sure to read about Open Source Mobile Device Forensics using Autopsy and scripts developed by the community, presented by yours truly. Other great presentations were provided by Cindy Murphy on Mobile Malware and Shafik Punja on the state of BlackBerry Forensics. There are several presentations that are fit for those breaking into Mobile Device Forensics included in the link above. For your convenience, I have downloaded and included a few of my favorites in the Presentations Page on my site.

Where should I focus my smartphone research?

Hello everyone! I hope you are getting ready to celebrate and enjoy the extra day off this week and the 4th of July if you are in the USA.

Now that my book is done, I am left wondering what to do with my extra time (because what new mom doesn’t have plenty of extra time). I plan to focus on the latest version of Android and iOS 8, but what else is out there that needs to be answered? Are you wanting more information on one platform, an overall OS? What do you want to see more of in regards to manual decoding? What are your tools missing?

“Help me, help you!” Yep – Jerry Maguire quote for you on this lovely Thursday morning. Thoughts?

Welcome!!!

Hello everyone and welcome to Smarter Forensics. I hope to use this platform to provide information on tools, techniques and methods I find useful when performing forensic investigations. While I focus heavily on smartphones, I will do my best to include information pertaining to digital forensics as a whole.

This is maintained by me, but is designed for the community. We are all in this together so please let me know if you have something to contribute to the Reading Room or if you aren’t comfortable posting on the blog!

Enjoy it!

Getting the most out of Smartphone Forensic Exams – SANS Advanced Smartphone Forensics Poster Release

Getting the most out of Smartphone Forensic Exams –

SANS Advanced Smartphone Forensics Poster Release

There is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner’s brain. SANS has produced an incredibly helpful array of Posters and Cheat Sheets for DFIR in order to assist examiners with those tidbits of information than can help to jumpstart their forensics exams and or intrusion and incident response investigations. The most recent addition to the SANS DFIR poster collection is the Advanced Smartphone Forensics Poster, created by SANS FOR585 authors Heather Mahalik, Domenica Crognale, and Cindy Murphy.

These days, digital forensic investigations often rely on data extracted from smartphones, tablets and other mobile devices. Smartphones are the most personal computing device associated to any user, and therefore often provide the most relevant data per gigabyte examined in an investigation. The Advanced Smartphone Forensics Poster will guide you through the elements of the mobile forensic process so that the results of your examination will hold up under scrutiny.

1

The acquisition of Smartphone evidence can be complicated by the large assortment of device makes, models, and operating systems, with varying levels of acquisition support. The Smartphone Acquisition guide included in the poster will guide you through the intricacies of acquiring data from locked and unlocked phones for the major Smartphone platforms.

2

Once data is acquired, interpretation of that data can involve complexities such as data encryption and encoding, and relics of flash memory storage. The Advanced Smartphone Forensics Poster will help you to work through the basics of flash memory data layout, and various types of data encryption and encoding common to Smartphone data to help you get the most out of the acquired evidence.

Commercial tools have a difficult standard to live up to in regards to data decoding and don’t fully address the challenges of mobile malware detection and analysis.  With all of the apps available, it’s nearly impossible to automate the process of decoding all of the relevant data. The Advanced Smartphone Forensics poster will help walk you through the basic steps of mobile malware detection and analysis, and provides you with common evidence locations for the major smartphone platforms to help you narrow down and efficiently identify data that is important to your investigation.

3

Use this poster as a handy reference guide to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. Whether you’re new to smartphone forensics or you’re an experienced examiner, the SANS Advanced Smartphone Forensics Poster will help you get the most relevant evidence per gigabyte.

https://digital-forensics.sans.org/media/for585-poster.pdf

Cindy Murphy, SANS Instructor and Co-Author of FOR585