All posts by Heather Barnhart

What are your forensic tools really good at?

Happy Saturday everyone! Several of my SANS FOR585 students have asked me to document my opinions on what tools I like and how I find them to be helpful. Again, I am not including every single tool out there or highlighting all of their capabilities, so if one is missing that you find useful, please post in the comments. This is simply a quick blog to highlight what has helped me in the past 6+ months.

I am not going to dive too deep into acquisition. There are so many tools and methods available that most people can figure out a way to get the data. I recommend you always get a physical dump and logical or backup to help you parse the data. Pick your poison on obtaining the data (Cellebrite, MSAB, Lantern, Blacklight, ViaExtract, flasher boxes…. it goes on and on). Each tool has their pros and cons and it’s a bad idea to only have one tool in your toolbox. Smartphones are beasts and security is getting stronger. Make sure you test your tools and test them often. Don’t let one hurdle knock you down. Try to trick your tool into working for you if needed.

I think the easiest way to write this blog is to include highlights and then touch on them. What is your tool really good for based upon my experience:

Commercial Solutions (Not in any particular order):

  • IEF Mobile – Great for Internet evidence and parsing 3rd party application data. One of the best iOS app parsers out there.
  • Physical Analyzer – Probably the best analytical platform out there specific to smartphone tools. It doesn’t parse everything, but it gives us a platform for analysis where we can make it find the evidence with some manual carving and hex searches.  Best physical search feature for locating data in raw hex.
  • MSAB XRY/XACT – One of the only tools that provides access to the raw files during a logical acquisition. Guess what, to recover data that the tools don’t parse you need the raw files. This tool give you access to them!
  • Lantern – Great Facebook app support. Seems to parse more data than the others on specific iOS devices.
  • Blacklight – Great tool that can run on a Mac! Great support for iOS devices. Haven’t you heard that you should examine a Mac with a Mac? A wise examiner once told me that and it still resonates with me.
  • Mobilyze – Best triage tool for iOS and Android.
  • MPE+ – The SQLite builder is a great feature when manually examining databases from 3rd party apps.
  • Oxygen – The best tool for BlackBerry. Acquires the event log and provides a secure way to create a BB backup file. Also counts out all those nasty little databases for you. I also like how Oxygen parses 3rd Party Apps.

Open Source and Other Solutions (Not in any particular order):

  • Andriller – This is one of my new favorites. This tool can crack passcodes and provides parsers for iOS, Android and Windows 3rd Party Application files. Free for LE and well worth it for everyone else. The fee is small the results are huge! https://andriller.com/
  • Now Secure CE (used to be ViaExtract CE) – Andrew Hoog was kind to release this awesome tool. It provides acquisition support for free! Parsers are pretty kick-ass too. Check it out. https://www.nowsecure.com/forensics/community/
  • Sanderson Forensics tools – Great SQLite support! The SQLite Forensic Toolkit is so useful in recovering deleted data and for converting those pesky timestamps. http://www.sandersonforensics.com/forum/content.php
  • Parsers developed by the community. Mari DeGrazia (http://az4n6.blogspot.com/)and Adrian Leong (http://cheeky4n6monkey.blogspot.com/) are rockstars and often give back by developing scripts to help us sift through application and smartphone data. Check out their blogs to see what has been helping us sift through the massive amounts of data.
  • Autopsy – The Android Analyzer module supports parsing commonly missed items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. http://sleuthkit.org/autopsy/

I am sure I have forgotten to give credit to some where it’s due, so I am requesting that you help me out. What tools really help you and how? Is there one that is strong with Base64 decoding? What about the double Base64? Don’t know what that means??? Take FOR585 and Cindy Murphy and I will teach you.  If you need more references on how to use the tools and the open source/free solutions, read the following books:

Practical Mobile Forensics

Learning Android Forensics

Learning iOS Forensics

Good luck and keep digging in that Hex! The data is there and it’s your job to find it.

Has the smartphone finally outsmarted us?

I originally posted this on the SANS blog, but figured I would share below as well. Special thanks to Cindy Murphy, Adrian Leong, Maggie Gaffney, Shafik Punja, JoAnne Gibb, Brian McGarry and the Cellebrite developers who worked tirelessly on the WP8 device discussed in this blog!

Has the smartphone finally outsmarted us?

I can honestly say that the most common question I am asked by examiners, investigators, students and even my neighbors is, “which phone is the most secure?” Obviously, the concern behind the question varies. Some want to secure their own device, and others, like myself, want to prove everyone in DFIR wrong by cracking into the toughest and most secure devices.

Smartphone security has gotten drastically stronger in 2014. This year, we are expecting even more challenges when examining smartphones. When thinking about the forensic aspects of smartphone security and encryption, we have to consider two things:

  1. How are we going to get access to the data?
  2. Even if we get a dump of the device, can we decrypt and examine the data?
  3. What happens if I can access the data, but the application data is encrypted?

Let’s look at a few devices to consider our options. First, Windows Phone 8 (WP8) brought us new issues that commercial forensic kits could not fully support. The good news is that these devices only comprise approximately 2.5% of the smartphone market. The bad news – criminals still use them! My co-author for FOR585, Cindy Murphy, worked with others in DFIR to get over this hurdle when it really mattered. A criminal investigation forced Cindy into action when she realized the critical part of the crime was a Nokia 520 running WP8. Cindy essentially formed a “team” to divide and conquer on this WP8 device. They successfully obtained a JTAG image of the device and manually parsed the data. FYI, if you haven’t looked at a smartphone dump in awhile, it’s no longer just a few files you need to sift through like legacy mobile device images. You are now looking at a small hard drive of evidence needing to be manually parsed. This task alone could take a lot of patience and a really long time.

What makes WP8 devices so secure compared to the others? WP8 devices brought change that we, smartphone examiners, haven’t faced in the past. This is the first OS introduced into the smartphone community that utilized BitLocker technology to support data encryption on the device with AES 128, which utilizes a Trust Platform Module (TPM) to protect the encryption key once the data is secure. These two factors have caused heartache for us smartphone examiners who have one of these devices appear in our evidence lineup. Fortunately, Cindy and her “team” were able to obtain a physical image, bypass the encryption and parse the relevant evidence to support her criminal investigation. Their work can be found here: http://dfir.to/Win8Phone-Forensics If you haven’t read this paper, you should!

Cindy and her “team” worked directly with Cellebrite developers to provide a recent release supporting the Nokia 520 and similar WP8 devices, thus making your life easier.   In FOR585 we stress the importance on understanding how the data is stored and parsed by your tool. One tool cannot uncover and decode all data on a smartphone. It’s your job to learn the file system structures, data formats, encoding schemas and all of the other fun bit of smartphone forensics. Additionally, in Cindy’s case, one single tool did not parse or interpret all of the data from this device. The smartphone forensic tools could not handle the data dump. You will find this is true for some smartphones, so you need to understand all concepts of smartphone data. Your toolbox must contain both smartphone forensic tools as well as standard DFIR tools (yes, the same ones your learned about in FOR408 and FOR572).

Here are some cheat sheet locations where evidence on the WP8 resides (for more details on how to manually parse the data, please refer to the referenced paper, above):

SMS and Contacts:

Users\WPCOMMSERVICES\APPDATA\Local\Unistore\store.vol

MMS:

SharedData\Comms\Unistore\Data

Call Logs:

Users\WPCOMMSERVICES\APPDATA\Local\UserData\phone

Internet History and Cookies:

Users\DefApps\APPDATA\INTERNETEXPLORER\INetCahe\.

Multimedia Files:

Users\Public\Pictures\CamerRoll\.

Application data and other traces of user activity were located on this device and required manual examination, custom Python scripts and intensive reconfiguration of raw data. Keep in mind that all 3rd party applications are different, store data with different obfuscation levels and require manual parsing (aka, don’t trust your tool – be smarter than it and validate your findings).

Now let’s consider the other devices that are trying to outsmart us. BlackBerry has always been secure. Pre-paid phones have locked data ports and knock-off devices are counterfeit, so support is inconsistent. iOS devices containing the A5-A8 chips are difficult if they are locked. There are methods for bypassing the lock, such as using the host computer Lockdown files as well as attempting to crack the PIN with the IP-BOX. If the user doesn’t back up their iOS device with a computer and uses a complex passcode… let’s just say you may not be getting access to that device, unless of course it’s jailbroken and not 64-bit. So may considerations, right?

Then there is Android Lollipop, which introduced the first default full disk encryption for this OS. How this will change our methods is TBD. I suggest you sign up for a FOR585 class to see how these devices can be accessed when you seem to have been outsmarted.

When considering which SANS course to take next, consider this – smartphone operating systems contain file systems similar to those discussed in FOR408 and FOR518, but need to be handled in a unique way. What about network traffic on smartphones? Here’s something to consider that you may have learned in FOR572 that should lead you to take FOR585 next.

“This class is critical for any forensicator in 2015,” said Phil Hagen, SANS Certified Instructor and course lead for FOR572, Advanced Network Forensics and Analysis.  “One thing we focus on from the network side is to hunt for adversaries in an environment and identify which endpoints require detailed examination.  When those are workstations or servers, the analysis path is very well-established.  However, if that endpoint is a modern mobile device, a forensicator must have the skills necessary to perform a comprehensive examination.  With ’smart’ mobile devices, the techniques are often vastly different than those required for traditional computing devices.”

References:

[1] http://dfir.to/Win8Phone-Forensics

[2] Practical Mobile Forensics

Heather Mahalik serves as a PM and leads the forensic effort for Oceans Edge, Inc. She has spent over twelve years conducing computer crime investigations ranging counter-intelligence to high profile criminal investigations. She is a Certified Instructor, course lead and co-author of FOR585 Advanced Smartphone Forensics and co-author of FOR518 Mac Forensic Analysis at the SANS Institute. Heather is co-author of Practical Mobile Forensics, by Packt Publishing. Find her on Twitter @HeatherMahalik and on her personal website/blog smarterforensics.com.

Upcoming courses of FOR585 Advanced Smartphone Forensics

Good morning everyone! I try to keep the calendar on this website updated with links to register for events where I will be teaching and speaking. I am still determining my conferences for the year, but here are my planned SANS FOR585 Advanced Smartphone Forensics Courses for 2015 (so far…let’s be honest, they always end up adding more).  The entire schedule can be viewed here. Keep in mind not all courses are posted. If you want to do FOR585 on your own, look into OnDemand.

Heather Mahalik will be teaching the following courses:

March 9-14 – Reston, VA – FOR585 Advanced Smartphone Forensics (New labs being released!!!)

May 5 – 10 – San Diego, CA (Who doesn’t want to go to sunny San Diego?)

June 15-20 – SANSFIRE Baltimore, MD (Right at the baseball stadium!)

August 11 – Sept 17 – vLive (online, in your house, in your jammies training)

September 14-19 – NS 2015 Las Vegas, NV (What happens in Vegas stays in Vegas..but not what you learn in FOR585!)

November 3-8 – Ft. Lauderdale (Again, it will be freezing in most places, warm up with me!)

Cindy Murphy will be teaching the following courses:

April 11 – 18 – SANS 2015 Orlando, Fl (Bring your family to Disney!)

May 11 – 16 Amsterdam, Netherlands (Taking FOR585 overseas!)

Boston and Prague – dates to be announced!

I hope to see you in a course in 2015. We are working on a certification and you can help by attending the course. Once you have taken the course, you can take the cert when it’s released.  There are a lot of smartphone courses out there and I believe that trying to replicate FOR585 is the best form of flattery. However, the real thing is the best! Come to the class and see for yourself.

Want your own copy of Practical Mobile Forensics for $5?

Hey everyone,

It’s the Holidays, so why not treat yourself to a copy of Practical Mobile Forensics? You can get the eBook for $5 until January 6th directly from Packt!  This book was designed to help both new and experienced examiners capture and analyze data from mobile devices.  Our goal was to use Open Source solutions as much as possible.  Check out the book and happy forensicating!

The link to purchase the book for $5 is

Happy Holidays!

Heather

Locked iOS devices hindering your investigations?

Good morning everyone! I know it’s that crazy time of year with the Holidays right around the corner, but some of us are still working… unfortunate, right? Cindy Murphy, my co-author of FOR585 and good friend, took the time to write up her testing and research on the IP-BOX.  You can get your own IP-BOX from Teel Technology.  Check out their site: http://www.teeltech.com/

IP-BOX IP Box documentation 12-2014

In summary, the IP-BOX can be used to defeat simple 4 digit PINS on iOS devices.  This includes devices running iOS1 – iOS8.  While newer iOS device require additional steps, the good news is that this magical black box may work at bypassing that lock!

If this issue is of interest to you, I would sign up for the SANS FOR585 Advanced Smartphone Forensics course where we discuss the IP-BOX and other methods for dealing with locked smartphones.  Until then, please enjoy the paper that Detective Cindy Murphy tool the time to write.

IP Box documentation-rev1 by Cindy Murphy.

Happy Holidays!

DFIRCON East Smartphone Forensic Challenge Winner

 

DFIRCONeast_c_785x90

Due to the vast amount of responses we got for our Smartphone Forensic Challenge, the winner was just determined.  The rules states that the winner must answer 4 of the 6 questions correctly, and the lucky winner answered all 6 questions correctly.  Congratulations Shawna Denson, you are the lucky winner!!!!

Thank you to everyone who submitted. FOR585 Advanced Smartphone Forensics is currently being held onDemand, at Network Security 2014 (Las Vegas), and  DFIRCON East (Ft. Lauderdale).  Cindy Murphy and I hope to see you in the classroom soon!

Stay tuned for Webcasts featuring cutting edge material on iOS8, Windows Phone Forensics and more!

http://www.sans.org/course/advanced-smartphone-mobile-device-forensics

The answers for the Challenge are listed below.

  1. What third-party applications have been granted access to device camera photos?

Facebook and DropBox

  1. What third-party applications have been granted access to the device address book?

Waze

  1. Which websites that were visited had requested the iPhone’s geolocation information for optimal browsing and were granted access?

Simply Hired and StubHub

  1. What permissions does the application MysteryApp.apk NOT have on the device?
  2.    Record audio
  3.    Read contacts
  4.    Send sms
  5.    Record video
  6.    Mount  & unmount files
  1. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?

Either answer is acceptable:

SHA1 (value within file) = DDpyDrYdc24hVh6aqWBmpHcfD3A=

SHA 1 (value of entire file)= 0c3a720eb61d736e21561e9aa96066a4771f0f70

  1.  What foreign language word(s) are found within the MysteryApp.apk application?

未接来 – Missed Calls

Winners of Practical Mobile Forensics

Hello everyone,

Today is the day and two winners have been selected! Just so you are aware, I printed each of your names and put them into a hat. Two names were pulled. Those winners are Ryan Pittman and Sherry Torres-Dor.

I want to thank everyone for the kind and encouraging comments. Your words motivate me to give back as much as I can and continue to learn. I hope to see you in FOR585, FOR518, at a conference or one of my talks soon.

Thanks for the support!

Heather

Practical Mobile Forensics Discount Code

Hi everyone,

If you are interested in ordering both the eBook and the printed copy, below are some discount codes for you. Also, if you already ordered one and want the other, refer to the codes below.


Book: fksh1tLR
eBook: 2bMQDpoS

Also, if customers order the book from our website (https://www.packtpub.com/application-development/practical-mobile-forensics) they can order the print and e-book together for the price of the print book ($59.99).

Win A Free Copy of Packt’s Practical Mobile Forensics

I am pleased to announce that Packt Publishing is organizing a giveaway especially for you.   All you need to do is just comment below the post for a chance to win a free e-copy of Practical Mobile Forensics.  Two lucky winners will be selected.

book

Overview of Practical Mobile Forensics

  • Clear and concise explanations for forensic examinations of mobile devices
  • Master the art of extracting data, recovering deleted data, bypassing screen locks, and much more
  • The first and only guide covering practical mobile forensics on multiple platforms

How to Enter?

Simply post your expectations from this book as a comment or Tweet. You could be one of the 2 lucky participants to win the copy.

DeadLine: The contest will close on 09/25/04. Winners will be contacted by email, so be sure to use your real email address when you comment or contact me directly with it – hmahalik@smarterforensics.com.