SlideShare ist ein Scribd-Unternehmen logo

TeelTech - Advancing Mobile Device Forensics (online version)

M
Mike Felch
1 von 75
Downloaden Sie, um offline zu lesen
Advancing Mobile Device Forensics Instructor: Mike Felch
Introduction
Lunch & Learn Introduction If you rely on tools • Your examinations have probably missed critical data • You may not have been able to examine certain devices • You may have missed data from apps, especially the latest apps • You found some data but exhausted yourself parsing it out
Lunch & Learn Content Using a practical example of an investigation involving uncovering digital artifacts using new techniques, we will identify data that was unrecoverable or overlooked by traditional forensic tools. Reverse Engineering Data Structures After a brief overview of Hex Editor Neo and regular expressions; we will manually examine a binary image acquired from a mobile device in our simulated investigation. Introduction to Programming with Python We will cover some high-level Python overviews such as variables, loops, conditions, slicing, and saving files. Just enough to demonstrate the ease and power of Python! Python Programming for Mobile Forensics After learning some basics in Python, we will write some scripts to extract artifacts from mobile devices and then save the output as evidence for our investigation.
Learning Goals • At the end of this event, you will have experienced: • Going beyond push-button forensic tools, which is required to stay relevant • There is power in understanding binary data • Python programming is actually easier than it seems • No previous programming background is required By the end of the day, you will have learned a basic understanding of how to apply reverse engineering and programming techniques for use in day to day mobile device examinations
About Mike • Information Security Engineer, Computer Programmer, High-Tech Crime Researcher, and CSIRT Manager in the private sector • 14+ years of programming experience & reverse engineering • Mostly Linux, Windows, Mobile, and Web • Career: • Infosec w/ focus in offensive strategies, surveillance, & cyber-attack attribution • Sr Software Engineer with enterprise experience • Systems Engineer w/ defense contractor in the aerospace industry
Staying Relevant Bridging the gap between mobile forensics and advancing technology
The Problem Technology is leaving mobile device forensics behind, and the reliance on traditional tools is further separating the ability to acquire evidence. • Privacy applications destroying content upon viewing • Unsupported devices & applications • Proprietary encryption & device passwords • Mobile application updates rendering tools useless … the list goes on
The Problem: Privacy Applications •Apps are destroying data making it unrecoverable •Developers are removing themselves from the equation ❏ SnapChat Erasing pictures after they are viewed ❏ Cyberdust End-to-End encryption of messages ❏ Kakao Chat Overwriting messages when they are deleted ❏ Whisper Anonymized content ❏ TextSecure End-to-End encryption of text messages ❏ RedPhone End-to-End encryption of phone calls plus many more... The more and more apps built around privacy, the less and less data that will be acquired using industry leading tools
The Problem: Lack of Support Unsupported Devices Unsupported Applications Devices are constantly being released and the number of models make it impossible for tools to support everything. New apps are being released every day and support from tools can take months. By the time they are supported, updates sometimes break the support. Cellebrite Physical Analyzer ● World Leader in Mobile Forensics ● 4:cast Forensic Tool of the Year Since 2012 ● Known for Fastest Adoption of Phone & Apps ● Industry Standard 79,168 Devices w/o Physical Extraction Support 424,826 Total Devices 19% of Devices Aren’t Supported … that’s 1 in 5 Devices Require JTAG / Chip-Off! SnapChat Example 25 Updates Since January 17th, 2014 100 Million to 500 Million Installs 700 Million Photos/Videos Sent Per Day … Forensic Tools Overlook Images!
The Solution You don’t need a programming background! • Don’t just learn the process, learn the technology • Don’t be intimidated, it’s much simpler then it looks • Break large complex problems into smaller solvable parts • Research new methods, apps, and devices • Embrace the power of programming
The Result You will become a critical asset! • Increased value to your department or agency • Much more confident as a forensic examiner • Programming experience is valuable outside of forensics • Uncover methods that impact the global forensic community • Solve cases that may have otherwise gone unsolved
The Requirement It takes a commitment! • Commit to spending 1 hour a day for 30 days using Python • Don’t try to learn the language, learn what you need • Spend time searching and finding messages in binary data • Think about how to tell the computer to parse the data you need • Don’t give up! Ask questions and embrace the community
15 Minutes of Open Dialogue • What are some new problems facing mobile device forensics?
Overview of Technologies
Overview of Technologies We will be looking at just a few technologies • Hex Editor Neo • Regular Expressions • Python v3 • Cellebrite Physical Analyzer Scripting Engine
Overview of Technologies Hex Editor Neo
Hex Editor Neo •Typical hex editor but with advanced capabilities •Identify data within multi-gigabyte files •Handles lots of data like ASCII, hex, decimal, and binary •Direct access to physical and logical disks, and even memory •Extremely portable, doesn’t require full installation •Very fast advanced searching •Multiple selections simultaneous
Hex Editor Neo Simple Layout
Hex Editor Neo Simple Layout: Multiple Selections in 4gb Binary Phone Image
Hex Editor Neo Expert Layout
Overview of Technologies Regular Expressions
Regular Expressions (regex) What is a regular expressions? • A special text string used to find a pattern When should we use regular expressions? • We know what the structure looks like but are unclear of the data Where can I find help? • Help > Contents > Hex Editor Neo Definitive Guide > Regular Expressions > Regular Expressions Syntax Let’s take a look at an example...
Regular Expressions (regex) Sample Regex D i r e c t C h a t [ d { 9 } ] [ d { 9 } ] . * d { 1 8 } ] . * d { 9 } Sample Message DirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029] abc Search for exact text [abc] Search for ‘a’, ‘b’, or ‘c’ text d Search for a digit d{10} Search for ten digits [ Search for the character [ * Match 0 or more repetitions . Match any character except new line * Backslash escapes the following character
Regular Expressions (regex) Sample Regex D i r e c t C h a t [ d { 9 } ] [ d { 9 } ] . * d { 1 8 } ] . * d { 9 } Sample Message DirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029] abc Search for exact text [abc] Search for ‘a’, ‘b’, or ‘c’ text d Search for a digit d{10} Search for ten digits [ Search for the character [ * Match 0 or more repetitions . Match any character except new line * Backslash escapes the following character
Overview of Technologies Introduction to Python
Introduction to Python • Comparing Data • Basic Math Operations • Variables • Slicing • Logical Conditions • Loops • Code Structure • Saving Data
Python: Comparing Data Operator Meaning < Less than <= Less than or equal to > Greater than >= Greater than or equal to == Equal (note two equal signs) != Not equal Operator Meaning Example Or True if either argument is true True or False True And True if both arguments are true True and True True Not Opposite Not False True
Python: Basic Math Operations Operator Description Example Result + Sum 1+1 2 - Difference 2-1 1 * Product 2*3 6 / Quotient 5/2 4/2 2.5 2.0 x = 3+7 x = 4*9 x = 20/2 x = 44-1
Python: Variables • Used to track data within our program • Variables are containers for our data • We store and change the values within the variable • We select the names of the variables • Names are case sensitive • Can’t use certain words: if, for, while, etc. Assign data with the equals sign myVariable = 1 Assignments can include calculations myVariable = 12 + 34
Python: Slicing myString[0:7] Gets first 7 starting at index 0 ‘Slicing’ myString[:7] Gets first 7 from beginning ‘Slicing’ myString[7:] Gets remaining starting at index 7 ‘Txt’ myString[2:7] Gets 5 starting at index 2 to index 7 ‘icing’ myString[-5:-3] Gets 2 starting at index -5 to index -3 ‘ng’ 0 1 2 3 4 5 6 7 8 9 S l i c i n g T x T
Python: Logic Conditions if : if x == 7: print(‘The number is 7!’) Control the flow of execution by making conditional statements which decide whether indented statements get executed. condition statement
Python: Loops using for and while for in : for x in ‘long string’: print(x) target statement sequence while : while True: print(“I will never stop!”) condition statement
Python: Language Structure string = ‘This is my long string’ for character in string: if character == ‘ ‘: print(‘I found a space!’) • Each ‘code block’ is indented • Statements execute until the ‘code block’ is un-indented • There are no braces or brackets • Can be spaces or tabs, but not both • Must be consistent
Python: Saving Data Mode Meaning ‘r’ Open for reading (default) ‘w’ Open for writing but first truncate ‘a’ Open for writing, append to end if exists ‘b’ Open file in binary mode There are different modes we can use when handling files. We first need to decide if we are reading an existing file, writing a new file, or adding to an existing file. Also determine if we are working with a binary file or just ASCII. * There are more modes available but we aren’t covering them in this lesson.
Python: Saving Data with open(‘ ‘ , ‘ ’) as newfile: newfile.write( ) with open(‘output.log’,’w’) as newfile: newfile.write(‘The number is 7!’) Once the ‘code block’ executes the last indented statement, it will auto-close the file so it’s not locked. filename data mode
Overview of Technologies Cellebrite Physical Analyzer Scripting Engine
Cellebrite Physical Analyzer Scripting Engine • Interactive mode or Run scripts • Quick access to file systems • Easy access to phone artifacts • Very precise data • Save data from examination • Create timelines & hashes • Run scripts or use a shell … plus much more! Example of Interactive Mode
Simulated Investigation
Investigation Outline • Witness Clark Kent contacted Teel Tech Police on 01/01/2015 around 2140 • Report of disturbance from his neighbor’s residence, the incident location • Incident location identified as 2681 Anywhere Street Lakeland, FL 33801 • Responding officers discover vehicle registered to suspect in garage of victim’s residence • Responding officers discover vehicle registered to victim in garage of victim’s residence • Violent screams heard coming from inside incident location by Witness Kent • Welfare check reveals Suspect Lex Luthor inside of incident location • Clothing of suspect reveals significant amount of blood • Victim Lois Lane located inside residence, deceased, with multiple stabbing wounds to upper body
Witness Interview • Witness C. Kent reports hearing male and female arguing at incident location • Reports he was unable to understand what was said • Witness describes ‘violent screams’ originating from female
Suspect Interview • Suspect L. Luthor claimed he was visiting his “friend”, the victim • Claims to have discovered the victim deceased upon his arrival • Alleged a male subject was standing beside victim’s body with a “bloody knife” • Suspect claims to have “wrestled” the knife away from the unknown subject • Unknown subject allegedly fled on foot prior to police arrival • When questioned about specific circumstances, suspect requested legal counsel
Crime Scene Evidence • Kitchen “butcher” Knife – Found beside victim with victim’s blood as confirmed by Crime Scene Lab • Victim’s Clothing – Found on victim with multiple puncture holes to the front of shirt • Suspect’s Clothing – Found on suspect with suspect’s shirt containing traces of victim’s blood as confirmed by Crime Scene Lab • Victim’s DNA was found on the shirt worn by the suspect • Victim’s DNA was found on the murder weapon • Suspect’s DNA was found on the murder weapon • No evidence of forced entry was found at the crime scene • No evidence of a third party being at the crime scene was found
Digital Forensic Evidence ● Victim’s Cell Phone – Samsung Galaxy S 4G SGH-T959V recovered from victim’s clothing. ● Suspect’s Cell Phone – Samsung S2 SGH-T989 seized from suspect’s clothing. Samsung Galaxy S 4G (Victim’s Phone): Non-deleted Kakao messages were found on victim’s phone revealing an argument between victim and suspect on the date of the incident. Kakao messages further indicate that victim advised suspect to not come over, during the argument. Samsung Galaxy S2 (Suspect’s Phone): Kakao messenger app was discovered; however, messages between victim and suspect on date of incident were not recovered.
Demonstration: Reverse Engineering Live Demonstration • Open physical image of suspect’s phone in Hex Editor Neo • Use victim’s phone to cross-examine recovered messages • Identify recoverable messages of evidentiary value in the raw data • Document recoverable message structure
Now what? Parsing would take forever! • 13 Potential Messages • 5 Useful Data Points • 5 minutes a record to hand copy • 2 Mobile Devices to Examine • 11 Hours to Copy/Paste • 34 Lines of Code • 5.4 Seconds to Process 4GB • Re-use it Over and Over vs.
Demonstration: Kakao Messenger Python Live Demonstration • Open physical image of suspect’s phone in Python • Read binary data into a variable by chunks • Use regular expressions to search for messages in raw data • Slice out data points and print results
New Evidence: Deleted Kakao Messages FILE DATE USER_ID USER_ID CONVERSATION ID MESSAGES 2015-01-01 04:26:07 163244128 163244128 85416308603768 Hi babe 2015-01-01 04:26:07 163244128 163244128 85416308603768 Do you mind coming over later, I just don't want to be alone. 2015-01-01 04:26:07 163244128 163244128 85466538152343 ya I have some stuff to talk to you about.. I'll be there but don't text me the wife is snooping 2015-01-01 04:26:07 163244128 163244128 85466538152343 I thought you were going to tell her about us??? 2015-01-01 04:26:07 163244128 163244128 85466601022443 And what do you mean wife??? I thought you two were through?? 2015-01-01 04:26:07 163244128 163244128 85466660556394 I need more time 2015-01-01 04:26:07 163244128 163244128 85466601022443 I need to figure some things out first 2015-01-01 04:26:07 163244128 163244128 85466660556394 You have been saying that for a month now!!! 2015-01-01 04:26:07 163244128 163244128 85466734692395 I can't wait any longer, I need to know you are going to be there for me! 2015-01-01 04:26:07 163244128 163244128 85466734692395 If you don't handle this today then we are done. 2015-01-01 04:26:07 163244128 163244128 85466759832214 I promise you will regret that! 2015-01-01 04:26:07 163244128 163244128 85466827351281 Look I told you to stop texting me! I will deal with you when I get there 2015-01-01 04:26:07 163244128 163244128 85466850568431 Don't even bother coming over
Forensic Tool Limitations: Deleted Kakao What are our tools overlooking? • Cellebrite was able to recover non-deleted Kakao messages • Cellebrite was not able to recover deleted Kakao messages • Examining the data structure revealed deleted Kakao messages • Python used to successfully recover the deleted messages of interest
Arrest & Prosecution
Evidence Review •Murder weapon “butcher knife” found with suspect’s DNA •Suspect’s clothing found with victim’s blood and DNA •No evidence of forced entry •No evidence of third person being at scene of crime during time of murder •Non-deleted Kakao messages were found on victim’s phone revealing an argument between victim and suspect on the date of the incident •Recovered deleted Kakao messages from suspect’s phone indicating a potential Modus Operandi
Enough to pursue an arrest? •Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim?
Enough to pursue an arrest? •Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim? •Is there anyone who would not arrest and file charges against the suspect?
Enough to pursue an arrest? •Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim? •Is there anyone who would not arrest and file charges against the suspect? •Does recovering deleted messages aid in providing sufficient evidence for the Prosecution to pursue a conviction?
Re-examining the Device From the perspective of the defense examiner
Re-examining the Device Defense examiner identifies areas with user-data and after-market apps
Re-examining the Device: Applications Defense examiner digs deeper into installed applications and finds SnapChat
Re-examining the Device: SnapChat Data Defense examiner notices missing SnapChat images received from ex-husband ‘Matt Lane’
Re-examining the Device: SnapChat Data Defense examiner notices SnapChat images were received right before murder
Demonstration: SnapChat Image Recovery Live Demonstration • Write script to be used in Cellebrite Physical Analyzer • Go through each file in each file system for loaded phone image • Examine filename, size, and deleted status of potential matches • Save recovered image to local machine using new name
Re-examining the Device: Recovered Images After stepping through file system, defense learned: • 3 SnapChat images were present, intact, and recoverable • Recovered images were not found by bleeding-edge forensic tools • Images were from ex-husband • Images had timestamps showing received just before the murder • Images place ex-husband at the scene during time of murder
New Evidence: SnapChat Images Filename: h1a81hurcs00h1420147701690.jpg 1420147701690 1/1/2015, 9:28:21 PM GMT
New Evidence: SnapChat Images Filename: h1a81hurcs00h1420147811659.jpg 1420147811659 1/1/2015, 9:30:11 PM GMT
New Evidence: SnapChat Images Filename: h1a81hurcs00h1420148205681.jpg 1420147811659 1/1/2015, 9:36:45 PM GMT
… and just like that, the defense examiner stops you in your tracks!
Risks Facing Examiners
Risks Facing Examiners Overlooking evidence comes with great costs: • Cases being thrown out or lost to defense examiners • Reputation as an examiner tarnished • False arrests & convictions of innocent • Ability to perform job is reliant on available forensic tools • Unprepared for future tech (watches, thermostats, glasses, etc)
15 Minute Open Dialogue • What parts of advancing forensics is intimidating?
Programming for Mobile Device Forensics
Day 1: Reverse Engineering Data Structures The first day we will spend getting our environments set-up, have a refresher on binary data, and then dive into reverse engineering • Deep dive into our tools • Learn the tricks of the trade • 9 Hands-on exercises • Reconstructing data structures … plus much more!
Day 2 & 3: Introduction to Python The second and third day we will jump right into Python, learning all about the language. These 2 days are critical to the success of the week. • No programming background required • Solid foundation in the language • Hands-on exercises • Tailored specifically for forensics … plus much more!
Day 4: Digging Deeper with Python By the end of the fourth day, students realize they have officially embraced the ability to go beyond the tools and are excited! • Ability to create full Python scripts • Interpreting files previously not understood • Marrying Python with forensics • Provided powerful scripts … plus much more!
Day 5: Advanced Mobile Forensics By now, everyone in the class will be able to write Python for forensic investigations. Day 5 we dig into more advanced Python! • Accessing SQLite databases • Embracing Python for Cellebrite Physical Analyzer • Variable length data • 7-bit and reverse 7-bit encoding … plus much more!
Next Class No prior programming experience is required! Course Introduction to Programming for Mobile Forensics Where Pinellas County Sheriff’s Office 10750 Ulmerton Rd. Largo, FL When July 13th - 17th, 2015 Cost $3,200
Questions & Answers

Empfohlen

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 

Empfohlen

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
ESET
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Transferring Software Testing Tools to Practice
Transferring Software Testing Tools to PracticeTransferring Software Testing Tools to Practice
Transferring Software Testing Tools to Practice
Tao Xie
 
GDG Helwan Introduction to python
GDG Helwan Introduction to pythonGDG Helwan Introduction to python
GDG Helwan Introduction to python
Mohamed Hegazy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 

Was ist angesagt? (20)

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 

Ähnlich wie TeelTech - Advancing Mobile Device Forensics (online version)

Data Science Accelerator Program
Data Science Accelerator ProgramData Science Accelerator Program
Data Science Accelerator Program
GoDataDriven
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 

Ähnlich wie TeelTech - Advancing Mobile Device Forensics (online version) (20)

Transferring Software Testing Tools to Practice
Transferring Software Testing Tools to PracticeTransferring Software Testing Tools to Practice
Transferring Software Testing Tools to Practice
 
GDG Helwan Introduction to python
GDG Helwan Introduction to pythonGDG Helwan Introduction to python
GDG Helwan Introduction to python
 
Software Engineering
Software EngineeringSoftware Engineering
Software Engineering
 
Raising the Bar
Raising the BarRaising the Bar
Raising the Bar
 
Python with dataScience
Python with dataSciencePython with dataScience
Python with dataScience
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
Python Open CV
Python Open CVPython Open CV
Python Open CV
 
Class_X_PYTHON_J.pdf
Class_X_PYTHON_J.pdfClass_X_PYTHON_J.pdf
Class_X_PYTHON_J.pdf
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Data Science Accelerator Program
Data Science Accelerator ProgramData Science Accelerator Program
Data Science Accelerator Program
 
Time Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTTime Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETT
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
 
DIY Java Profiling
DIY Java ProfilingDIY Java Profiling
DIY Java Profiling
 
Python Module-1.1.pdf
Python Module-1.1.pdfPython Module-1.1.pdf
Python Module-1.1.pdf
 

TeelTech - Advancing Mobile Device Forensics (online version)

  • 3. Lunch & Learn Introduction If you rely on tools • Your examinations have probably missed critical data • You may not have been able to examine certain devices • You may have missed data from apps, especially the latest apps • You found some data but exhausted yourself parsing it out
  • 4. Lunch & Learn Content Using a practical example of an investigation involving uncovering digital artifacts using new techniques, we will identify data that was unrecoverable or overlooked by traditional forensic tools. Reverse Engineering Data Structures After a brief overview of Hex Editor Neo and regular expressions; we will manually examine a binary image acquired from a mobile device in our simulated investigation. Introduction to Programming with Python We will cover some high-level Python overviews such as variables, loops, conditions, slicing, and saving files. Just enough to demonstrate the ease and power of Python! Python Programming for Mobile Forensics After learning some basics in Python, we will write some scripts to extract artifacts from mobile devices and then save the output as evidence for our investigation.
  • 5. Learning Goals • At the end of this event, you will have experienced: • Going beyond push-button forensic tools, which is required to stay relevant • There is power in understanding binary data • Python programming is actually easier than it seems • No previous programming background is required By the end of the day, you will have learned a basic understanding of how to apply reverse engineering and programming techniques for use in day to day mobile device examinations
  • 6. About Mike • Information Security Engineer, Computer Programmer, High-Tech Crime Researcher, and CSIRT Manager in the private sector • 14+ years of programming experience & reverse engineering • Mostly Linux, Windows, Mobile, and Web • Career: • Infosec w/ focus in offensive strategies, surveillance, & cyber-attack attribution • Sr Software Engineer with enterprise experience • Systems Engineer w/ defense contractor in the aerospace industry
  • 7. Staying Relevant Bridging the gap between mobile forensics and advancing technology
  • 8. The Problem Technology is leaving mobile device forensics behind, and the reliance on traditional tools is further separating the ability to acquire evidence. • Privacy applications destroying content upon viewing • Unsupported devices & applications • Proprietary encryption & device passwords • Mobile application updates rendering tools useless … the list goes on
  • 9. The Problem: Privacy Applications •Apps are destroying data making it unrecoverable •Developers are removing themselves from the equation ❏ SnapChat Erasing pictures after they are viewed ❏ Cyberdust End-to-End encryption of messages ❏ Kakao Chat Overwriting messages when they are deleted ❏ Whisper Anonymized content ❏ TextSecure End-to-End encryption of text messages ❏ RedPhone End-to-End encryption of phone calls plus many more... The more and more apps built around privacy, the less and less data that will be acquired using industry leading tools
  • 10. The Problem: Lack of Support Unsupported Devices Unsupported Applications Devices are constantly being released and the number of models make it impossible for tools to support everything. New apps are being released every day and support from tools can take months. By the time they are supported, updates sometimes break the support. Cellebrite Physical Analyzer ● World Leader in Mobile Forensics ● 4:cast Forensic Tool of the Year Since 2012 ● Known for Fastest Adoption of Phone & Apps ● Industry Standard 79,168 Devices w/o Physical Extraction Support 424,826 Total Devices 19% of Devices Aren’t Supported … that’s 1 in 5 Devices Require JTAG / Chip-Off! SnapChat Example 25 Updates Since January 17th, 2014 100 Million to 500 Million Installs 700 Million Photos/Videos Sent Per Day … Forensic Tools Overlook Images!
  • 11. The Solution You don’t need a programming background! • Don’t just learn the process, learn the technology • Don’t be intimidated, it’s much simpler then it looks • Break large complex problems into smaller solvable parts • Research new methods, apps, and devices • Embrace the power of programming
  • 12. The Result You will become a critical asset! • Increased value to your department or agency • Much more confident as a forensic examiner • Programming experience is valuable outside of forensics • Uncover methods that impact the global forensic community • Solve cases that may have otherwise gone unsolved
  • 13. The Requirement It takes a commitment! • Commit to spending 1 hour a day for 30 days using Python • Don’t try to learn the language, learn what you need • Spend time searching and finding messages in binary data • Think about how to tell the computer to parse the data you need • Don’t give up! Ask questions and embrace the community
  • 14. 15 Minutes of Open Dialogue • What are some new problems facing mobile device forensics?
  • 16. Overview of Technologies We will be looking at just a few technologies • Hex Editor Neo • Regular Expressions • Python v3 • Cellebrite Physical Analyzer Scripting Engine
  • 18. Hex Editor Neo •Typical hex editor but with advanced capabilities •Identify data within multi-gigabyte files •Handles lots of data like ASCII, hex, decimal, and binary •Direct access to physical and logical disks, and even memory •Extremely portable, doesn’t require full installation •Very fast advanced searching •Multiple selections simultaneous
  • 20. Hex Editor Neo Simple Layout: Multiple Selections in 4gb Binary Phone Image
  • 23. Regular Expressions (regex) What is a regular expressions? • A special text string used to find a pattern When should we use regular expressions? • We know what the structure looks like but are unclear of the data Where can I find help? • Help > Contents > Hex Editor Neo Definitive Guide > Regular Expressions > Regular Expressions Syntax Let’s take a look at an example...
  • 24. Regular Expressions (regex) Sample Regex D i r e c t C h a t [ d { 9 } ] [ d { 9 } ] . * d { 1 8 } ] . * d { 9 } Sample Message DirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029] abc Search for exact text [abc] Search for ‘a’, ‘b’, or ‘c’ text d Search for a digit d{10} Search for ten digits [ Search for the character [ * Match 0 or more repetitions . Match any character except new line * Backslash escapes the following character
  • 25. Regular Expressions (regex) Sample Regex D i r e c t C h a t [ d { 9 } ] [ d { 9 } ] . * d { 1 8 } ] . * d { 9 } Sample Message DirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029] abc Search for exact text [abc] Search for ‘a’, ‘b’, or ‘c’ text d Search for a digit d{10} Search for ten digits [ Search for the character [ * Match 0 or more repetitions . Match any character except new line * Backslash escapes the following character
  • 27. Introduction to Python • Comparing Data • Basic Math Operations • Variables • Slicing • Logical Conditions • Loops • Code Structure • Saving Data
  • 28. Python: Comparing Data Operator Meaning < Less than <= Less than or equal to > Greater than >= Greater than or equal to == Equal (note two equal signs) != Not equal Operator Meaning Example Or True if either argument is true True or False True And True if both arguments are true True and True True Not Opposite Not False True
  • 29. Python: Basic Math Operations Operator Description Example Result + Sum 1+1 2 - Difference 2-1 1 * Product 2*3 6 / Quotient 5/2 4/2 2.5 2.0 x = 3+7 x = 4*9 x = 20/2 x = 44-1
  • 30. Python: Variables • Used to track data within our program • Variables are containers for our data • We store and change the values within the variable • We select the names of the variables • Names are case sensitive • Can’t use certain words: if, for, while, etc. Assign data with the equals sign myVariable = 1 Assignments can include calculations myVariable = 12 + 34
  • 31. Python: Slicing myString[0:7] Gets first 7 starting at index 0 ‘Slicing’ myString[:7] Gets first 7 from beginning ‘Slicing’ myString[7:] Gets remaining starting at index 7 ‘Txt’ myString[2:7] Gets 5 starting at index 2 to index 7 ‘icing’ myString[-5:-3] Gets 2 starting at index -5 to index -3 ‘ng’ 0 1 2 3 4 5 6 7 8 9 S l i c i n g T x T
  • 32. Python: Logic Conditions if : if x == 7: print(‘The number is 7!’) Control the flow of execution by making conditional statements which decide whether indented statements get executed. condition statement
  • 33. Python: Loops using for and while for in : for x in ‘long string’: print(x) target statement sequence while : while True: print(“I will never stop!”) condition statement
  • 34. Python: Language Structure string = ‘This is my long string’ for character in string: if character == ‘ ‘: print(‘I found a space!’) • Each ‘code block’ is indented • Statements execute until the ‘code block’ is un-indented • There are no braces or brackets • Can be spaces or tabs, but not both • Must be consistent
  • 35. Python: Saving Data Mode Meaning ‘r’ Open for reading (default) ‘w’ Open for writing but first truncate ‘a’ Open for writing, append to end if exists ‘b’ Open file in binary mode There are different modes we can use when handling files. We first need to decide if we are reading an existing file, writing a new file, or adding to an existing file. Also determine if we are working with a binary file or just ASCII. * There are more modes available but we aren’t covering them in this lesson.
  • 36. Python: Saving Data with open(‘ ‘ , ‘ ’) as newfile: newfile.write( ) with open(‘output.log’,’w’) as newfile: newfile.write(‘The number is 7!’) Once the ‘code block’ executes the last indented statement, it will auto-close the file so it’s not locked. filename data mode
  • 37. Overview of Technologies Cellebrite Physical Analyzer Scripting Engine
  • 38. Cellebrite Physical Analyzer Scripting Engine • Interactive mode or Run scripts • Quick access to file systems • Easy access to phone artifacts • Very precise data • Save data from examination • Create timelines & hashes • Run scripts or use a shell … plus much more! Example of Interactive Mode
  • 40. Investigation Outline • Witness Clark Kent contacted Teel Tech Police on 01/01/2015 around 2140 • Report of disturbance from his neighbor’s residence, the incident location • Incident location identified as 2681 Anywhere Street Lakeland, FL 33801 • Responding officers discover vehicle registered to suspect in garage of victim’s residence • Responding officers discover vehicle registered to victim in garage of victim’s residence • Violent screams heard coming from inside incident location by Witness Kent • Welfare check reveals Suspect Lex Luthor inside of incident location • Clothing of suspect reveals significant amount of blood • Victim Lois Lane located inside residence, deceased, with multiple stabbing wounds to upper body
  • 41. Witness Interview • Witness C. Kent reports hearing male and female arguing at incident location • Reports he was unable to understand what was said • Witness describes ‘violent screams’ originating from female
  • 42. Suspect Interview • Suspect L. Luthor claimed he was visiting his “friend”, the victim • Claims to have discovered the victim deceased upon his arrival • Alleged a male subject was standing beside victim’s body with a “bloody knife” • Suspect claims to have “wrestled” the knife away from the unknown subject • Unknown subject allegedly fled on foot prior to police arrival • When questioned about specific circumstances, suspect requested legal counsel
  • 43. Crime Scene Evidence • Kitchen “butcher” Knife – Found beside victim with victim’s blood as confirmed by Crime Scene Lab • Victim’s Clothing – Found on victim with multiple puncture holes to the front of shirt • Suspect’s Clothing – Found on suspect with suspect’s shirt containing traces of victim’s blood as confirmed by Crime Scene Lab • Victim’s DNA was found on the shirt worn by the suspect • Victim’s DNA was found on the murder weapon • Suspect’s DNA was found on the murder weapon • No evidence of forced entry was found at the crime scene • No evidence of a third party being at the crime scene was found
  • 44. Digital Forensic Evidence ● Victim’s Cell Phone – Samsung Galaxy S 4G SGH-T959V recovered from victim’s clothing. ● Suspect’s Cell Phone – Samsung S2 SGH-T989 seized from suspect’s clothing. Samsung Galaxy S 4G (Victim’s Phone): Non-deleted Kakao messages were found on victim’s phone revealing an argument between victim and suspect on the date of the incident. Kakao messages further indicate that victim advised suspect to not come over, during the argument. Samsung Galaxy S2 (Suspect’s Phone): Kakao messenger app was discovered; however, messages between victim and suspect on date of incident were not recovered.
  • 45. Demonstration: Reverse Engineering Live Demonstration • Open physical image of suspect’s phone in Hex Editor Neo • Use victim’s phone to cross-examine recovered messages • Identify recoverable messages of evidentiary value in the raw data • Document recoverable message structure
  • 46. Now what? Parsing would take forever! • 13 Potential Messages • 5 Useful Data Points • 5 minutes a record to hand copy • 2 Mobile Devices to Examine • 11 Hours to Copy/Paste • 34 Lines of Code • 5.4 Seconds to Process 4GB • Re-use it Over and Over vs.
  • 47. Demonstration: Kakao Messenger Python Live Demonstration • Open physical image of suspect’s phone in Python • Read binary data into a variable by chunks • Use regular expressions to search for messages in raw data • Slice out data points and print results
  • 48. New Evidence: Deleted Kakao Messages FILE DATE USER_ID USER_ID CONVERSATION ID MESSAGES 2015-01-01 04:26:07 163244128 163244128 85416308603768 Hi babe 2015-01-01 04:26:07 163244128 163244128 85416308603768 Do you mind coming over later, I just don't want to be alone. 2015-01-01 04:26:07 163244128 163244128 85466538152343 ya I have some stuff to talk to you about.. I'll be there but don't text me the wife is snooping 2015-01-01 04:26:07 163244128 163244128 85466538152343 I thought you were going to tell her about us??? 2015-01-01 04:26:07 163244128 163244128 85466601022443 And what do you mean wife??? I thought you two were through?? 2015-01-01 04:26:07 163244128 163244128 85466660556394 I need more time 2015-01-01 04:26:07 163244128 163244128 85466601022443 I need to figure some things out first 2015-01-01 04:26:07 163244128 163244128 85466660556394 You have been saying that for a month now!!! 2015-01-01 04:26:07 163244128 163244128 85466734692395 I can't wait any longer, I need to know you are going to be there for me! 2015-01-01 04:26:07 163244128 163244128 85466734692395 If you don't handle this today then we are done. 2015-01-01 04:26:07 163244128 163244128 85466759832214 I promise you will regret that! 2015-01-01 04:26:07 163244128 163244128 85466827351281 Look I told you to stop texting me! I will deal with you when I get there 2015-01-01 04:26:07 163244128 163244128 85466850568431 Don't even bother coming over
  • 49. Forensic Tool Limitations: Deleted Kakao What are our tools overlooking? • Cellebrite was able to recover non-deleted Kakao messages • Cellebrite was not able to recover deleted Kakao messages • Examining the data structure revealed deleted Kakao messages • Python used to successfully recover the deleted messages of interest
  • 51. Evidence Review •Murder weapon “butcher knife” found with suspect’s DNA •Suspect’s clothing found with victim’s blood and DNA •No evidence of forced entry •No evidence of third person being at scene of crime during time of murder •Non-deleted Kakao messages were found on victim’s phone revealing an argument between victim and suspect on the date of the incident •Recovered deleted Kakao messages from suspect’s phone indicating a potential Modus Operandi
  • 52. Enough to pursue an arrest? •Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim?
  • 53. Enough to pursue an arrest? •Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim? •Is there anyone who would not arrest and file charges against the suspect?
  • 54. Enough to pursue an arrest? •Does sufficient Probable Cause exist to pursue filing charges against the suspect for the murder of victim? •Is there anyone who would not arrest and file charges against the suspect? •Does recovering deleted messages aid in providing sufficient evidence for the Prosecution to pursue a conviction?
  • 55. Re-examining the Device From the perspective of the defense examiner
  • 56. Re-examining the Device Defense examiner identifies areas with user-data and after-market apps
  • 57. Re-examining the Device: Applications Defense examiner digs deeper into installed applications and finds SnapChat
  • 58. Re-examining the Device: SnapChat Data Defense examiner notices missing SnapChat images received from ex-husband ‘Matt Lane’
  • 59. Re-examining the Device: SnapChat Data Defense examiner notices SnapChat images were received right before murder
  • 60. Demonstration: SnapChat Image Recovery Live Demonstration • Write script to be used in Cellebrite Physical Analyzer • Go through each file in each file system for loaded phone image • Examine filename, size, and deleted status of potential matches • Save recovered image to local machine using new name
  • 61. Re-examining the Device: Recovered Images After stepping through file system, defense learned: • 3 SnapChat images were present, intact, and recoverable • Recovered images were not found by bleeding-edge forensic tools • Images were from ex-husband • Images had timestamps showing received just before the murder • Images place ex-husband at the scene during time of murder
  • 62. New Evidence: SnapChat Images Filename: h1a81hurcs00h1420147701690.jpg 1420147701690 1/1/2015, 9:28:21 PM GMT
  • 63. New Evidence: SnapChat Images Filename: h1a81hurcs00h1420147811659.jpg 1420147811659 1/1/2015, 9:30:11 PM GMT
  • 64. New Evidence: SnapChat Images Filename: h1a81hurcs00h1420148205681.jpg 1420147811659 1/1/2015, 9:36:45 PM GMT
  • 65. … and just like that, the defense examiner stops you in your tracks!
  • 67. Risks Facing Examiners Overlooking evidence comes with great costs: • Cases being thrown out or lost to defense examiners • Reputation as an examiner tarnished • False arrests & convictions of innocent • Ability to perform job is reliant on available forensic tools • Unprepared for future tech (watches, thermostats, glasses, etc)
  • 68. 15 Minute Open Dialogue • What parts of advancing forensics is intimidating?
  • 70. Day 1: Reverse Engineering Data Structures The first day we will spend getting our environments set-up, have a refresher on binary data, and then dive into reverse engineering • Deep dive into our tools • Learn the tricks of the trade • 9 Hands-on exercises • Reconstructing data structures … plus much more!
  • 71. Day 2 & 3: Introduction to Python The second and third day we will jump right into Python, learning all about the language. These 2 days are critical to the success of the week. • No programming background required • Solid foundation in the language • Hands-on exercises • Tailored specifically for forensics … plus much more!
  • 72. Day 4: Digging Deeper with Python By the end of the fourth day, students realize they have officially embraced the ability to go beyond the tools and are excited! • Ability to create full Python scripts • Interpreting files previously not understood • Marrying Python with forensics • Provided powerful scripts … plus much more!
  • 73. Day 5: Advanced Mobile Forensics By now, everyone in the class will be able to write Python for forensic investigations. Day 5 we dig into more advanced Python! • Accessing SQLite databases • Embracing Python for Cellebrite Physical Analyzer • Variable length data • 7-bit and reverse 7-bit encoding … plus much more!
  • 74. Next Class No prior programming experience is required! Course Introduction to Programming for Mobile Forensics Where Pinellas County Sheriff’s Office 10750 Ulmerton Rd. Largo, FL When July 13th - 17th, 2015 Cost $3,200