3. Lunch & Learn Introduction
If you rely on tools
• Your examinations have probably missed critical data
• You may not have been able to examine certain devices
• You may have missed data from apps, especially the latest apps
• You found some data but exhausted yourself parsing it out
4. Lunch & Learn Content
Using a practical example of an investigation involving uncovering digital artifacts
using new techniques, we will identify data that was unrecoverable or overlooked
by traditional forensic tools.
Reverse Engineering Data Structures
After a brief overview of Hex Editor Neo and regular expressions; we will manually
examine a binary image acquired from a mobile device in our simulated
investigation.
Introduction to Programming with Python
We will cover some high-level Python overviews such as variables, loops, conditions,
slicing, and saving files. Just enough to demonstrate the ease and power of Python!
Python Programming for Mobile Forensics
After learning some basics in Python, we will write some scripts to extract artifacts
from mobile devices and then save the output as evidence for our investigation.
5. Learning Goals
• At the end of this event, you will have experienced:
• Going beyond push-button forensic tools, which is required to stay relevant
• There is power in understanding binary data
• Python programming is actually easier than it seems
• No previous programming background is required
By the end of the day, you will have learned a basic understanding of how to
apply reverse engineering and programming techniques for use in day to day
mobile device examinations
6. About Mike
• Information Security Engineer, Computer Programmer, High-Tech Crime
Researcher, and CSIRT Manager in the private sector
• 14+ years of programming experience & reverse engineering
• Mostly Linux, Windows, Mobile, and Web
• Career:
• Infosec w/ focus in offensive strategies, surveillance, & cyber-attack
attribution
• Sr Software Engineer with enterprise experience
• Systems Engineer w/ defense contractor in the aerospace industry
8. The Problem
Technology is leaving mobile device forensics behind, and the reliance
on traditional tools is further separating the ability to acquire evidence.
• Privacy applications destroying content upon viewing
• Unsupported devices & applications
• Proprietary encryption & device passwords
• Mobile application updates rendering tools useless
… the list goes on
9. The Problem: Privacy Applications
•Apps are destroying data making it unrecoverable
•Developers are removing themselves from the equation
❏ SnapChat Erasing pictures after they are viewed
❏ Cyberdust End-to-End encryption of messages
❏ Kakao Chat Overwriting messages when they are deleted
❏ Whisper Anonymized content
❏ TextSecure End-to-End encryption of text messages
❏ RedPhone End-to-End encryption of phone calls
plus many more...
The more and more apps built around privacy, the less and less data that
will be acquired using industry leading tools
10. The Problem: Lack of Support
Unsupported Devices Unsupported Applications
Devices are constantly being released and the number
of models make it impossible for tools to support
everything.
New apps are being released every day and support
from tools can take months. By the time they are
supported, updates sometimes break the support.
Cellebrite Physical Analyzer
● World Leader in Mobile Forensics
● 4:cast Forensic Tool of the Year Since 2012
● Known for Fastest Adoption of Phone & Apps
● Industry Standard
79,168 Devices w/o Physical Extraction Support
424,826 Total Devices
19% of Devices Aren’t Supported
… that’s 1 in 5 Devices Require JTAG / Chip-Off!
SnapChat Example
25 Updates Since January 17th, 2014
100 Million to 500 Million Installs
700 Million Photos/Videos Sent Per Day
… Forensic Tools Overlook Images!
11. The Solution
You don’t need a programming background!
• Don’t just learn the process, learn the technology
• Don’t be intimidated, it’s much simpler then it looks
• Break large complex problems into smaller solvable parts
• Research new methods, apps, and devices
• Embrace the power of programming
12. The Result
You will become a critical asset!
• Increased value to your department or agency
• Much more confident as a forensic examiner
• Programming experience is valuable outside of forensics
• Uncover methods that impact the global forensic community
• Solve cases that may have otherwise gone unsolved
13. The Requirement
It takes a commitment!
• Commit to spending 1 hour a day for 30 days using Python
• Don’t try to learn the language, learn what you need
• Spend time searching and finding messages in binary data
• Think about how to tell the computer to parse the data you need
• Don’t give up! Ask questions and embrace the community
14. 15 Minutes of Open Dialogue
• What are some new problems facing mobile device forensics?
16. Overview of Technologies
We will be looking at just a few technologies
• Hex Editor Neo
• Regular Expressions
• Python v3
• Cellebrite Physical Analyzer Scripting Engine
18. Hex Editor Neo
•Typical hex editor but with advanced capabilities
•Identify data within multi-gigabyte files
•Handles lots of data like ASCII, hex, decimal, and binary
•Direct access to physical and logical disks, and even memory
•Extremely portable, doesn’t require full installation
•Very fast advanced searching
•Multiple selections simultaneous
23. Regular Expressions (regex)
What is a regular expressions?
• A special text string used to find a pattern
When should we use regular expressions?
• We know what the structure looks like but are unclear of the data
Where can I find help?
• Help > Contents > Hex Editor Neo Definitive Guide > Regular
Expressions > Regular Expressions Syntax
Let’s take a look at an example...
24. Regular Expressions (regex)
Sample Regex
D i r e c t C h a t [ d { 9 } ] [ d { 9 } ] . * d { 1 8 } ] . * d { 9 }
Sample Message
DirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]
abc Search for exact text
[abc] Search for ‘a’, ‘b’, or ‘c’ text
d Search for a digit
d{10} Search for ten digits
[ Search for the character [
* Match 0 or more repetitions
. Match any character except new line
* Backslash escapes the following character
25. Regular Expressions (regex)
Sample Regex
D i r e c t C h a t [ d { 9 } ] [ d { 9 } ] . * d { 1 8 } ] . * d { 9 }
Sample Message
DirectChat[827364589][918273647]This is my Message[102938475647382910]zz[758493029]
abc Search for exact text
[abc] Search for ‘a’, ‘b’, or ‘c’ text
d Search for a digit
d{10} Search for ten digits
[ Search for the character [
* Match 0 or more repetitions
. Match any character except new line
* Backslash escapes the following character
27. Introduction to Python
• Comparing Data
• Basic Math Operations
• Variables
• Slicing
• Logical Conditions
• Loops
• Code Structure
• Saving Data
28. Python: Comparing Data
Operator Meaning
< Less than
<= Less than or equal to
> Greater than
>= Greater than or equal to
== Equal (note two equal signs)
!= Not equal
Operator Meaning Example
Or True if either argument is true True or False
True
And True if both arguments are true True and True
True
Not Opposite Not False
True
29. Python: Basic Math Operations
Operator Description Example Result
+ Sum 1+1 2
- Difference 2-1 1
* Product 2*3 6
/ Quotient 5/2
4/2
2.5
2.0
x = 3+7
x = 4*9
x = 20/2
x = 44-1
30. Python: Variables
• Used to track data within our program
• Variables are containers for our data
• We store and change the values within the variable
• We select the names of the variables
• Names are case sensitive
• Can’t use certain words: if, for, while, etc.
Assign data with the equals sign
myVariable = 1
Assignments can include calculations
myVariable = 12 + 34
31. Python: Slicing
myString[0:7] Gets first 7 starting at index 0
‘Slicing’
myString[:7] Gets first 7 from beginning
‘Slicing’
myString[7:] Gets remaining starting at index 7
‘Txt’
myString[2:7] Gets 5 starting at index 2 to index 7
‘icing’
myString[-5:-3] Gets 2 starting at index -5 to index -3
‘ng’
0 1 2 3 4 5 6 7 8 9
S l i c i n g T x T
32. Python: Logic Conditions
if :
if x == 7:
print(‘The number is 7!’)
Control the flow of execution by making conditional statements which
decide whether indented statements get executed.
condition
statement
33. Python: Loops using for and while
for in :
for x in ‘long string’:
print(x)
target
statement
sequence
while :
while True:
print(“I will never stop!”)
condition
statement
34. Python: Language Structure
string = ‘This is my long string’
for character in string:
if character == ‘ ‘:
print(‘I found a space!’)
• Each ‘code block’ is indented
• Statements execute until the ‘code block’ is un-indented
• There are no braces or brackets
• Can be spaces or tabs, but not both
• Must be consistent
35. Python: Saving Data
Mode Meaning
‘r’ Open for reading (default)
‘w’ Open for writing but first truncate
‘a’ Open for writing, append to end if exists
‘b’ Open file in binary mode
There are different modes we can use when handling files. We first need
to decide if we are reading an existing file, writing a new file, or adding
to an existing file. Also determine if we are working with a binary file or
just ASCII.
* There are more modes available but we aren’t covering them in this lesson.
36. Python: Saving Data
with open(‘ ‘ , ‘ ’) as newfile:
newfile.write( )
with open(‘output.log’,’w’) as newfile:
newfile.write(‘The number is 7!’)
Once the ‘code block’ executes the last indented statement, it will
auto-close the file so it’s not locked.
filename
data
mode
38. Cellebrite Physical Analyzer Scripting Engine
• Interactive mode or Run scripts
• Quick access to file systems
• Easy access to phone artifacts
• Very precise data
• Save data from examination
• Create timelines & hashes
• Run scripts or use a shell
… plus much more!
Example of Interactive Mode
40. Investigation Outline
• Witness Clark Kent contacted Teel Tech Police on 01/01/2015 around 2140
• Report of disturbance from his neighbor’s residence, the incident location
• Incident location identified as 2681 Anywhere Street Lakeland, FL 33801
• Responding officers discover vehicle registered to suspect in garage of victim’s residence
• Responding officers discover vehicle registered to victim in garage of victim’s residence
• Violent screams heard coming from inside incident location by Witness Kent
• Welfare check reveals Suspect Lex Luthor inside of incident location
• Clothing of suspect reveals significant amount of blood
• Victim Lois Lane located inside residence, deceased, with multiple stabbing wounds to
upper body
41. Witness Interview
• Witness C. Kent reports hearing male and female arguing at incident location
• Reports he was unable to understand what was said
• Witness describes ‘violent screams’ originating from female
42. Suspect Interview
• Suspect L. Luthor claimed he was visiting his “friend”, the victim
• Claims to have discovered the victim deceased upon his arrival
• Alleged a male subject was standing beside victim’s body with a “bloody knife”
• Suspect claims to have “wrestled” the knife away from the unknown subject
• Unknown subject allegedly fled on foot prior to police arrival
• When questioned about specific circumstances, suspect requested legal
counsel
43. Crime Scene Evidence
• Kitchen “butcher” Knife – Found beside victim with victim’s blood as confirmed by Crime
Scene Lab
• Victim’s Clothing – Found on victim with multiple puncture holes to the front of shirt
• Suspect’s Clothing – Found on suspect with suspect’s shirt containing traces of victim’s
blood as confirmed by Crime Scene Lab
• Victim’s DNA was found on the shirt worn by the suspect
• Victim’s DNA was found on the murder weapon
• Suspect’s DNA was found on the murder weapon
• No evidence of forced entry was found at the crime scene
• No evidence of a third party being at the crime scene was found
44. Digital Forensic Evidence
● Victim’s Cell Phone – Samsung Galaxy S 4G SGH-T959V recovered from victim’s clothing.
● Suspect’s Cell Phone – Samsung S2 SGH-T989 seized from suspect’s clothing.
Samsung Galaxy S 4G (Victim’s Phone): Non-deleted Kakao messages were found on victim’s phone revealing an argument between
victim and suspect on the date of the incident. Kakao messages further indicate that victim advised suspect to not come over, during
the argument.
Samsung Galaxy S2 (Suspect’s Phone): Kakao messenger app was discovered; however, messages between victim and suspect on date
of incident were not recovered.
45. Demonstration: Reverse Engineering
Live Demonstration
• Open physical image of suspect’s phone in Hex Editor Neo
• Use victim’s phone to cross-examine recovered messages
• Identify recoverable messages of evidentiary value in the raw data
• Document recoverable message structure
46. Now what? Parsing would take forever!
• 13 Potential Messages
• 5 Useful Data Points
• 5 minutes a record to hand copy
• 2 Mobile Devices to Examine
• 11 Hours to Copy/Paste
• 34 Lines of Code
• 5.4 Seconds to Process 4GB
• Re-use it Over and Over
vs.
47. Demonstration: Kakao Messenger Python
Live Demonstration
• Open physical image of suspect’s phone in Python
• Read binary data into a variable by chunks
• Use regular expressions to search for messages in raw data
• Slice out data points and print results
48. New Evidence: Deleted Kakao Messages
FILE DATE USER_ID USER_ID CONVERSATION ID MESSAGES
2015-01-01 04:26:07 163244128 163244128 85416308603768 Hi babe
2015-01-01 04:26:07 163244128 163244128 85416308603768 Do you mind coming over later, I just don't want to be alone.
2015-01-01 04:26:07 163244128 163244128 85466538152343 ya I have some stuff to talk to you about.. I'll be there but don't text me the wife is
snooping
2015-01-01 04:26:07 163244128 163244128 85466538152343 I thought you were going to tell her about us???
2015-01-01 04:26:07 163244128 163244128 85466601022443 And what do you mean wife??? I thought you two were through??
2015-01-01 04:26:07 163244128 163244128 85466660556394 I need more time
2015-01-01 04:26:07 163244128 163244128 85466601022443 I need to figure some things out first
2015-01-01 04:26:07 163244128 163244128 85466660556394 You have been saying that for a month now!!!
2015-01-01 04:26:07 163244128 163244128 85466734692395 I can't wait any longer, I need to know you are going to be there for me!
2015-01-01 04:26:07 163244128 163244128 85466734692395 If you don't handle this today then we are done.
2015-01-01 04:26:07 163244128 163244128 85466759832214 I promise you will regret that!
2015-01-01 04:26:07 163244128 163244128 85466827351281 Look I told you to stop texting me! I will deal with you when I get there
2015-01-01 04:26:07 163244128 163244128 85466850568431 Don't even bother coming over
49. Forensic Tool Limitations: Deleted Kakao
What are our tools overlooking?
• Cellebrite was able to recover non-deleted Kakao messages
• Cellebrite was not able to recover deleted Kakao messages
• Examining the data structure revealed deleted Kakao messages
• Python used to successfully recover the deleted messages of interest
51. Evidence Review
•Murder weapon “butcher knife” found with suspect’s DNA
•Suspect’s clothing found with victim’s blood and DNA
•No evidence of forced entry
•No evidence of third person being at scene of crime during time of
murder
•Non-deleted Kakao messages were found on victim’s phone revealing
an argument between victim and suspect on the date of the incident
•Recovered deleted Kakao messages from suspect’s phone indicating a
potential Modus Operandi
52. Enough to pursue an arrest?
•Does sufficient Probable Cause exist to pursue filing charges
against the suspect for the murder of victim?
53. Enough to pursue an arrest?
•Does sufficient Probable Cause exist to pursue filing charges
against the suspect for the murder of victim?
•Is there anyone who would not arrest and file charges against
the suspect?
54. Enough to pursue an arrest?
•Does sufficient Probable Cause exist to pursue filing charges
against the suspect for the murder of victim?
•Is there anyone who would not arrest and file charges against
the suspect?
•Does recovering deleted messages aid in providing sufficient
evidence for the Prosecution to pursue a conviction?
57. Re-examining the Device: Applications
Defense examiner digs deeper into installed applications and finds SnapChat
58. Re-examining the Device: SnapChat Data
Defense examiner notices missing SnapChat images received from ex-husband ‘Matt
Lane’
59. Re-examining the Device: SnapChat Data
Defense examiner notices SnapChat images were received right before murder
60. Demonstration: SnapChat Image Recovery
Live Demonstration
• Write script to be used in Cellebrite Physical Analyzer
• Go through each file in each file system for loaded phone image
• Examine filename, size, and deleted status of potential matches
• Save recovered image to local machine using new name
61. Re-examining the Device: Recovered Images
After stepping through file system, defense learned:
• 3 SnapChat images were present, intact, and recoverable
• Recovered images were not found by bleeding-edge forensic tools
• Images were from ex-husband
• Images had timestamps showing received just before the murder
• Images place ex-husband at the scene during time of murder
67. Risks Facing Examiners
Overlooking evidence comes with great costs:
• Cases being thrown out or lost to defense examiners
• Reputation as an examiner tarnished
• False arrests & convictions of innocent
• Ability to perform job is reliant on available forensic tools
• Unprepared for future tech (watches, thermostats, glasses, etc)
68. 15 Minute Open Dialogue
• What parts of advancing forensics is intimidating?
70. Day 1: Reverse Engineering Data Structures
The first day we will spend getting our environments set-up, have a
refresher on binary data, and then dive into reverse engineering
• Deep dive into our tools
• Learn the tricks of the trade
• 9 Hands-on exercises
• Reconstructing data structures
… plus much more!
71. Day 2 & 3: Introduction to Python
The second and third day we will jump right into Python, learning all
about the language. These 2 days are critical to the success of the week.
• No programming background required
• Solid foundation in the language
• Hands-on exercises
• Tailored specifically for forensics
… plus much more!
72. Day 4: Digging Deeper with Python
By the end of the fourth day, students realize they have officially
embraced the ability to go beyond the tools and are excited!
• Ability to create full Python scripts
• Interpreting files previously not understood
• Marrying Python with forensics
• Provided powerful scripts
… plus much more!
73. Day 5: Advanced Mobile Forensics
By now, everyone in the class will be able to write Python for forensic
investigations. Day 5 we dig into more advanced Python!
• Accessing SQLite databases
• Embracing Python for Cellebrite Physical Analyzer
• Variable length data
• 7-bit and reverse 7-bit encoding
… plus much more!
74. Next Class
No prior programming experience is required!
Course
Introduction to Programming for Mobile Forensics
Where
Pinellas County Sheriff’s Office
10750 Ulmerton Rd. Largo, FL
When
July 13th - 17th, 2015
Cost
$3,200