3. Announcements
• October 25th Cyber Fair (10 am -3 pm)
• FAST has 3 booths (Android Forensics, Iphone Forensics, and Hacking)
• Need volunteers
• No FAST meeting that week
• Amazon Director of HR and Cyber next week!
• Octber 21st 4:30-8 GoKart && food club social
• $10 for GoKart or $15 for GoKart and Food
4.
5. Digital Forensics on Cellular Devices
• What is captured?
• EVERYTHING…text messages, calls, calendar events, app data (including
passwords), pictures (even if you delete them), and much more.
• Where is data stored?
• Internal Memory
• External Memory (SD Card)
6. Digital Forensics on Iphones
•Manual Acquisition
• Search the user interface for data. This method is time
consuming and is only available to a single user.
• Physical Acquisition
• Bit-by-bit copy of the file system (including deleted data and
unallocated space).
• Logical Acquisition
• Using the phone provider’s software to extract
information
7. How To Protect Yourself
• Selling your phone?
• NEVER sell a phone without successfully wiping everything.
• As you will see in this demonstration, we can recover virtually any piece of
information.
• Steps to take before selling a phone:
• Format Internal and External Memory
• Format Micro SD Card
8. Wiping Iphone vs. Android
Iphone
• Settings > General > Reset > Erase all Content and Settings.
• Apple uses hardware encryption - Data is encrypted and the password is not stored
on the device Android Vary from manufacturer.
Android
• Be warned, some manufacturers don’t follow proper data-wiping practices
and leave behind trace files. I suggest seeking a third party application.
• Encrypt your phone
• Settings > General > Backup & Reset > Factory Data Reset
http://lifehacker.com/5808280/what-should-i-do-with-my-phone-before-i-sell-it
9. Forensics On IOS
• Step 1: Create or locate a full backup for the device with Itunes. Even for
forensics on a current device, we need the backup file. Itunes does a
wonderful job in backing up EVERYTHING.
• Step 2: Download the sourceforge iphone analyzer tool. This is available for
windows, mac and linux.
http://sourceforge.net/projects/iphoneanalyzer/
Note: This is an executable Jar file. DO NOT extract it. If your computer
doesn’t have a program to execute this, download a version from cnet.
http://download.cnet.com/Java-Launcher/3000-2213_4-10332879.html
• Step 3: Select your backup
• Step 4: Import the backup
• Step 5: Begin the investigation
10. Step 1: Google “iphone analyzer”
- The 1st link should be for ‘sourceforge’
- Click ‘download’
• This will give you a .jar file
• (if you do not have ‘java launcher’ (windows) you will be tempted to open it as a compressed file)
11. If you do not have ‘java launcher’ to run .jar files in java
- Google “java launcher”
- The 3rd link should be for ‘CNET’
- Click on the “Direct Download Link”
- DO NOT CLICK ON THE ‘DOWNLOAD NOW’ link,
you WILL get malware!
(my power icon was removed and so was access to turn the power icon back on)
12. even though iphone analyzer runs with java (x64)
(assuming you’re running Windows 10)
Java Launcher requires java (x86)
• - Google “download java jdk”
• - The 1st link should be for ‘oracle’
• - Click on JDK download
13. Download all 4 executables
- Java launcher: jdk-8u65-windows-i586.exe && jdk-8u65-windows-i586.exe
- To open .jar files: jdk-8u65-windows-x64.exe && jdk-8u66-windows-
x64.exe
Error message if you don’t download BOTH java (x86) files
14. When you open the java folder in both ‘Program Files (x86)’
& ‘Program Files’
they should both have 4 folders named:
jdk1.8.0_65, jdk1.8.0_66, jre1.8.0_65, jre1.8.0_66
• YOU NEED ALL FOUR and the ‘Program Files (x86)’ java folders
contain different files from the java folders in ‘Program Files’.
15. • With that said, I did come across an instance when I opened the
java folder and it did NOT have all 4 folders after downloading.
To troubleshoot, FROM WITHIN THE SAME FOLDER copy the
folder type of the version you are missing and rename the copy
of the folder to the type you are missing
• (for example if you are missing “jre1.8.0_66” copy “jre1.8.0_65”
and rename the copy to “jre1.8.0_66”).
16. Troubleshooting
• With that said, I did come across an instance when I opened the java
folder and it did NOT have all 4 folders after downloading. To
troubleshoot, FROM WITHIN THE SAME FOLDER copy the folder type
of the version you are missing and rename the copy of the folder to
the type you are missing
• (for example if you are missing “jre1.8.0_66” copy “jre1.8.0_65” and
rename the copy to “jre1.8.0_66”).
17. NOW YOU SHOULD BE ABLE TO OPEN
iphoneanalyzer.jar !!!
• (with the default program “Java(TM) Platform SE binary”)
21. Digital Forensics on Androids
•Manual Acquisition
• Search the user interface for data. This method is time
consuming and is only available to a single user.
• Physical Acquisition
• Bit-by-bit copy of the file system (including deleted data and
unallocated space).
• Logical Acquisition
• Using the phone provider’s software to extract
information
26. Command Promt Interface
•Plug in your device
•Enable “USB Debugging”
•For most phones – go to about phone and tap
“Build Number” 7 times to enable developer
options to enable debugging
•Pass the USB connection to Linux
27. Commands
•In the command promt AF-Logical –
•Type: adb devices (this will confirm your device
is connected)
•Type: aflogical-ose (press confirm on your
phone)
•Select the data to be on the image
35. Troubleshooting
•Make sure you set up Santoku Linux correctly
•When the terminal window asks for a password,
it doesn’t appear on the screen for security
reasons. Just enter your password you
registered with.
•Feel free to contact me with questions.
•kkrohrer@cpp.edu or (661) 972-2686
38. Incognito / private browsing
•Doesn’t save history, downloads,
cookies, passwords, etc.
•ALL internet activity still VERY visible
39.
40. VPN chrome extension
• Great for quick protection
(hides IP and encrypts internet activity)
• Recommend CyberGhost
(free, unlimited VPN)
• Still saves history, cookies, etc. on
local machine
41.
42. Tor Network
• Routes through multiple
IP’s that constantly change
• Like an advanced VPN with
amnesia
•Can still be tracked when
entering and exiting Tor
43. CyberGhost Desktop App
• Connect to VPN before Tor to mask
entrance
• CyberGhost assigns random
username
• Couldn’t find free VPN that protect
against exit nodes
• If you purchase VPN, use BitCoins or
DarkCoins
45. Tails (Anonymous OS)
•Deletes EVERYTHING
•Load from USB not VM
•Profoundly safe
•But SLOW and inconvenient
• Set up admin every startup
• Prove not a bot constantly
46. Whonix
• Anonymous OS, Two VMs working in tangent
• Isn't amnesiac
• Nicer interface, but still a VM which has
weaknesses that can be exploited
• Recommend using with VPN desktop app
53. Making sure data is backed up
• Can prevent loss of:
• Personal Information
• Music
• Photos
• Wi-Fi passwords
• Apps
• Can back up to multiple places
• Titanium Backup
54. Encrypting your device
• Pros: Keeps data safe if you lose it by making the data
unreadable
• Cons: Slower performance, no going back without factory
resetting
• Lollipop (Android 5.0)- You get your
phone encrypted by default when
you get it.
• Marshmallow (Android 6.0)- Makes
full disk encryption mandatory.