SlideShare a Scribd company logo

Tisa mobile forensic

Prathan Phongthiproek
Prathan Phongthiproek

IOS Forensic

Technology
1 of 48
Download to read offline
Mobile/Smart Phone Forensic Watcharaphon Wongaphai Senior Information Security Instructor GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F ACIS Professional Center
Outline 1)  Introduction to Mobile Forensic! 2)  Forensic Analysis of iphone! -  JailBroken! -  iTune Backup files!
Forensic Soundness •  What did it mean for disk forensics?! •  Does it mean the same thing?! •  Mobile devices are volatile, by nature! –  Real time clock changing in memory all the time! –  Acquiring SMS messages may change their status to “Read”! –  Some tools run code on the device itself!! •  Our goal is to change as little as possible! –  Perhaps disable automatic sync when using Blackberry Desktop Manager, and disable conversion to local time in ABC Amber Converter!
Evidence Take-In and Chain of Custody •  Document the scene! –  Handle with care, and gloves!! –  For the Chain of Custody form, find the serial number! –  Don’t forget MicroSD cards!! –  Photograph the device where it is found! –  Document what is showing on the screen, if anything! –  Power concerns! –  Take cables and documentation!
Blocking Network Connectivity •  Disable the radio! –  How can you be sure it’s disabled?! •  Faraday isolation! –  Not all products are created equal!!! –  Usually causes the battery to be depleted more quickly! •  Use a “safe” SIM card! •  Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity! •  Exercise: Disable network connectivity on your own phone.!
! •  What! –  Phone call database! –  E-mail and memos! –  SMS/MMS! –  Internet and LAN access! –  Visited URLs and saved pages! •  Where! –  Location information!
! •  Who! –  Owner details and user accounts! –  Contacts and cohorts! –  Personalizations (wallpaper, ringtones)! •  When! –  Calendar items! –  File system metadata! –  Timestamps may not be immediately visible!
Messaging •  Short message service (SMS)! •  Multimedia message service (MMS)! •  Instant messaging! •  Blackberry! –  PIN messages! –  Blackberry IM!
Internet Activities •  Downloaded images and web pages! •  Email! •  Visited URLs! •  History log! •  Browser cache!
Location Tracking •  Location-based applications! –  Loopt! –  Google Latitude! –  Yahoo! Fire Eagle! –  Citysense! –  LifeBlog! –  Facebook (Friends on Fire)! –  Foursqare! –  Twitter!
GPS Embedded in Photos •  GPS coordinates embedded in Exif! •  Same Exif we talked about for disk forensics! •  This is often automatically added if the phone is GPS aware.!
Think Outside the Device •  Past usage information! –  Network service provider records! –  Look for paper bills! •  Detailed history of usage! –  Date and duration of calls! –  Numbers called! –  SMS message sent (no content retained)! •  NSP maintains detailed records! –  Calling IMSI and IMEI! –  Called IMSI and IMEI! –  Location: first and last cell! –  Charging details!
Iphone Forensic with Jailbroken
Zdziarski Technique •  Step by Step! SSH Connection •  Jailbreak! •  Forensic Acquisition! •  SSH! •  Create image by using dd command! •  Transfer image using netcat! DD image via Netcat •  Use scalpel to carving data!
Zdziarski Technique •  Example Command! andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2 root@192.168.0.2′s password: -sh-3.2# cd / -sh-3.2# umount -f /private/var -sh-3.2# mount -o ro /private/var -sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc 192.168.0.1 7000 andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./ rdisk0s2 bs=4096
Bypass Passcode
DiskAid
iPhone Explorer
iPhone Explorer Delete this file for bypass passcode
iPhone System path
What can be recovered ?
Contact
Calendar Event
SMS
Facebook Application
Geo-location Cache
Geo-location Cache
Geo-location Cache
Geo-location Cache
Iphone Forensic with iTune Backup files
SYNC and Backup •  After activation, when the iPhone is connected to the computer a sync will be conducted! •  The user can define what is to be Synced to include:! •  Music! •  Photos! •  Ringtones! •  Contacts & Calendars! •  Podcasts! •  Video! •  Third party applications! •  Third party applications can initiate the use of the iPhone as a file storage device!
SYNC and Backup •  Backup data location! •  Windows XP! •  C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! •  Windows 7! •  C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! •  Mac OS X! •  /Users/(username)/Library/Application Support/MobileSync/Backup/!
SYNC and Backup •  Backup folder files! •  Many .mdbackup files! •  The name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file! •  Status.plist! •  Status of last sync! •  Manifest.plist! •  List of all files backed up, modification time and hash signature! •  Info.plist! •  Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
.mdbackup files •  Safari History & Bookmarks! •  Photos (phone & synced iPhoto)! •  Sent & Received SMS! •  Calendar Events! •  Notes! •  Address Book Entries! •  Call History! •  Cookies! •  Google Map History! •  Email Account Settings! •  YouTube Last Search, Last Viewed & Bookmarks data!
Forensic Analysis Tool for Backup files •  iPhone Backup Extractor! •  iPhone Backup Analyzer! •  MobileSyncBrowser! •  MDBackupExtract! •  WOLF - Sixth Legion! •  Device Seizure - Paraben!
Unprotected Backup files
Protected Backup files
Protected Backup files
Elcomsoft Phone Password Breaker •  Brute-Force backup password with GPU!
Brute-Force Backup password
Keychain Explorer #1
Keychain Explorer #2
Keychain Explorer #2
Iphone Backup Extractor
Iphone Backup Analyzer
Iphone Backup Analyzer
Iphone Backup Analyzer
http://www. TISA.or.th Copayright © 2012 TISA and its respective author (Thailand Information Security Association) Please contact : varapong@acisonline.net

Recommended

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
File000127
File000127File000127
File000127Desmond Devendran
 

Recommended

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
File000127
File000127File000127
File000127Desmond Devendran
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
File000122
File000122File000122
File000122Desmond Devendran
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
File000126
File000126File000126
File000126Desmond Devendran
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
File000129
File000129File000129
File000129Desmond Devendran
 
File000174
File000174File000174
File000174Desmond Devendran
 
File000125
File000125File000125
File000125Desmond Devendran
 
File000124
File000124File000124
File000124Desmond Devendran
 
File000128
File000128File000128
File000128Desmond Devendran
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder OverviewJADsoftware1
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationVincent Ohprecio
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 

More Related Content

What's hot

A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensicsdefconmoscow
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder OverviewJADsoftware1
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 

What's hot (20)

A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
 
File000122
File000122File000122
File000122
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
File000126
File000126File000126
File000126
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
File000129
File000129File000129
File000129
 
File000174
File000174File000174
File000174
 
File000125
File000125File000125
File000125
 
File000124
File000124File000124
File000124
 
File000128
File000128File000128
File000128
 
Internet Evidence Finder Overview
Internet Evidence Finder OverviewInternet Evidence Finder Overview
Internet Evidence Finder Overview
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysis
 

Viewers also liked

Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationVincent Ohprecio
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014ITInnovationDayNL
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...CSCJournals
 
Babadook
BabadookBabadook
Babadookjupton1
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 ICMI Pusat
 
Looking for Information Vacuums
Looking for Information VacuumsLooking for Information Vacuums
Looking for Information VacuumsInfo Ops HQ
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupVincent Ohprecio
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsSandeep Saxena
 
Mobile Application Security by Design
Mobile Application Security by DesignMobile Application Security by Design
Mobile Application Security by DesignDMI
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security IssuesStelios Krasadakis
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Metin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri KategorilendirmeMetin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri KategorilendirmeOğuzcan Pamuk
 

Viewers also liked (20)

Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
 
Babadook
BabadookBabadook
Babadook
 
Updated CV
Updated CVUpdated CV
Updated CV
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11
 
Looking for Information Vacuums
Looking for Information VacuumsLooking for Information Vacuums
Looking for Information Vacuums
 
Mobile security
Mobile securityMobile security
Mobile security
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes Backup
 
Mobile security
Mobile securityMobile security
Mobile security
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security Metrics
 
Mobile Application Security by Design
Mobile Application Security by DesignMobile Application Security by Design
Mobile Application Security by Design
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhone
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Metin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri KategorilendirmeMetin Madenciliği ile Cümleleri Kategorilendirme
Metin Madenciliği ile Cümleleri Kategorilendirme
 

Similar to Tisa mobile forensic

Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredTom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
liferay-safe-slides.pdf
liferay-safe-slides.pdfliferay-safe-slides.pdf
liferay-safe-slides.pdfSalini P
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsEC-Council
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Android slides
Android slidesAndroid slides
Android slides23375174
 

Similar to Tisa mobile forensic (20)

Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
WWDC 2017
WWDC 2017WWDC 2017
WWDC 2017
 
iOS platform
iOS platformiOS platform
iOS platform
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
liferay-safe-slides.pdf
liferay-safe-slides.pdfliferay-safe-slides.pdf
liferay-safe-slides.pdf
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & Solutions
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Android slides
Android slidesAndroid slides
Android slides
 
Android slides
Android slidesAndroid slides
Android slides
 
Android slides
Android slidesAndroid slides
Android slides
 
Android ppt.
Android ppt.Android ppt.
Android ppt.
 
Android slides
Android slidesAndroid slides
Android slides
 

More from Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityPrathan Phongthiproek
 

More from Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 

Recently uploaded

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 

Recently uploaded (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 

Tisa mobile forensic

  • 1. Mobile/Smart Phone Forensic Watcharaphon Wongaphai Senior Information Security Instructor GIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNA Prathan Phongthiproek Section Manager, Senior Information Security Consultant GIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-F ACIS Professional Center
  • 2. Outline 1)  Introduction to Mobile Forensic! 2)  Forensic Analysis of iphone! -  JailBroken! -  iTune Backup files!
  • 3. Forensic Soundness •  What did it mean for disk forensics?! •  Does it mean the same thing?! •  Mobile devices are volatile, by nature! –  Real time clock changing in memory all the time! –  Acquiring SMS messages may change their status to “Read”! –  Some tools run code on the device itself!! •  Our goal is to change as little as possible! –  Perhaps disable automatic sync when using Blackberry Desktop Manager, and disable conversion to local time in ABC Amber Converter!
  • 4. Evidence Take-In and Chain of Custody •  Document the scene! –  Handle with care, and gloves!! –  For the Chain of Custody form, find the serial number! –  Don’t forget MicroSD cards!! –  Photograph the device where it is found! –  Document what is showing on the screen, if anything! –  Power concerns! –  Take cables and documentation!
  • 5. Blocking Network Connectivity •  Disable the radio! –  How can you be sure it’s disabled?! •  Faraday isolation! –  Not all products are created equal!!! –  Usually causes the battery to be depleted more quickly! •  Use a “safe” SIM card! •  Remember, you want to turn off the phones connectivity to the service provider, as well as Wifi and Bluetooth connectivity! •  Exercise: Disable network connectivity on your own phone.!
  • 6. ! •  What! –  Phone call database! –  E-mail and memos! –  SMS/MMS! –  Internet and LAN access! –  Visited URLs and saved pages! •  Where! –  Location information!
  • 7. ! •  Who! –  Owner details and user accounts! –  Contacts and cohorts! –  Personalizations (wallpaper, ringtones)! •  When! –  Calendar items! –  File system metadata! –  Timestamps may not be immediately visible!
  • 8. Messaging •  Short message service (SMS)! •  Multimedia message service (MMS)! •  Instant messaging! •  Blackberry! –  PIN messages! –  Blackberry IM!
  • 9. Internet Activities •  Downloaded images and web pages! •  Email! •  Visited URLs! •  History log! •  Browser cache!
  • 10. Location Tracking •  Location-based applications! –  Loopt! –  Google Latitude! –  Yahoo! Fire Eagle! –  Citysense! –  LifeBlog! –  Facebook (Friends on Fire)! –  Foursqare! –  Twitter!
  • 11. GPS Embedded in Photos •  GPS coordinates embedded in Exif! •  Same Exif we talked about for disk forensics! •  This is often automatically added if the phone is GPS aware.!
  • 12. Think Outside the Device •  Past usage information! –  Network service provider records! –  Look for paper bills! •  Detailed history of usage! –  Date and duration of calls! –  Numbers called! –  SMS message sent (no content retained)! •  NSP maintains detailed records! –  Calling IMSI and IMEI! –  Called IMSI and IMEI! –  Location: first and last cell! –  Charging details!
  • 13. Iphone Forensic with Jailbroken
  • 14. Zdziarski Technique •  Step by Step! SSH Connection •  Jailbreak! •  Forensic Acquisition! •  SSH! •  Create image by using dd command! •  Transfer image using netcat! DD image via Netcat •  Use scalpel to carving data!
  • 15. Zdziarski Technique •  Example Command! andrew-hoogs-mac:~ ahoog$ ssh -l root 192.168.0.2 root@192.168.0.2′s password: -sh-3.2# cd / -sh-3.2# umount -f /private/var -sh-3.2# mount -o ro /private/var -sh-3.2# /bin/dd if=/dev/rdisk0s2 bs=4096 | nc 192.168.0.1 7000 andrew-hoogs-mac:Desktop ahoog$ nc -l 7000 | dd of=./ rdisk0s2 bs=4096
  • 19. iPhone Explorer Delete this file for bypass passcode
  • 21. What can be recovered ?
  • 24. SMS
  • 30. Iphone Forensic with iTune Backup files
  • 31. SYNC and Backup •  After activation, when the iPhone is connected to the computer a sync will be conducted! •  The user can define what is to be Synced to include:! •  Music! •  Photos! •  Ringtones! •  Contacts & Calendars! •  Podcasts! •  Video! •  Third party applications! •  Third party applications can initiate the use of the iPhone as a file storage device!
  • 32. SYNC and Backup •  Backup data location! •  Windows XP! •  C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! •  Windows 7! •  C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! •  Mac OS X! •  /Users/(username)/Library/Application Support/MobileSync/Backup/!
  • 33. SYNC and Backup •  Backup folder files! •  Many .mdbackup files! •  The name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file! •  Status.plist! •  Status of last sync! •  Manifest.plist! •  List of all files backed up, modification time and hash signature! •  Info.plist! •  Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
  • 34. .mdbackup files •  Safari History & Bookmarks! •  Photos (phone & synced iPhoto)! •  Sent & Received SMS! •  Calendar Events! •  Notes! •  Address Book Entries! •  Call History! •  Cookies! •  Google Map History! •  Email Account Settings! •  YouTube Last Search, Last Viewed & Bookmarks data!
  • 35. Forensic Analysis Tool for Backup files •  iPhone Backup Extractor! •  iPhone Backup Analyzer! •  MobileSyncBrowser! •  MDBackupExtract! •  WOLF - Sixth Legion! •  Device Seizure - Paraben!
  • 39. Elcomsoft Phone Password Breaker •  Brute-Force backup password with GPU!
  • 48. http://www. TISA.or.th Copayright © 2012 TISA and its respective author (Thailand Information Security Association) Please contact : varapong@acisonline.net